Diff
Modified: trunk/LayoutTests/ChangeLog (198291 => 198292)
--- trunk/LayoutTests/ChangeLog 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/ChangeLog 2016-03-16 19:46:49 UTC (rev 198292)
@@ -1,3 +1,80 @@
+2016-03-16 Daniel Bates <[email protected]>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Add tests to ensure that the Content Security Policy is enforced on redirects when
+ loading a subresource, including a video or audio file.
+
+ * http/tests/resources/redirect.php: Fix PHP "undefined index" warnings when either query
+ parameter code or refresh (or both) are not specified.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/ABCFont.svg: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg.
+ * http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl: Added.
+ * http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl: Added.
+ * http/tests/security/contentSecurityPolicy/resources/green-square.svg: Added.
+ * http/tests/security/contentSecurityPolicy/resources/red-square.svg: Added.
+ * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html:
+ * http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html: Added.
+ * platform/efl/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. We will also need to fix
+ <https://bugs.webkit.org/show_bug.cgi?id=153866> before we can unskip test http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
+ As far as I can tell the functionality exercised by these tests is not being using by the EFL port.
+ * platform/gtk/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. As far as I can tell the functionality
+ exercised by these tests is not being using by the GTK port.
+ * platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added expected failure result as
+ AV Foundation is responsible for loading media on iOS. That is, WebCore is not responsible for loading media.
+ * platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Ditto.
+ * platform/mac/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. The functionality exercised by these
+ tests is not used on OS X. Additionally, mark as Failure on Yosemite and ElCapitan the added tests
+ http/tests/security/contentSecurityPolicy/{video, audio}-redirect-blocked.html as we do not support
+ Content Security Policy for media redirects in these versions of OS X.
+
2016-03-16 Jiewen Tan <[email protected]>
URL Parsing should signal failure for illegal IDN
Modified: trunk/LayoutTests/http/tests/resources/redirect.php (198291 => 198292)
--- trunk/LayoutTests/http/tests/resources/redirect.php 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/http/tests/resources/redirect.php 2016-03-16 19:46:49 UTC (rev 198292)
@@ -6,23 +6,21 @@
}
$url = ""
- $refresh = $_GET['refresh'];
-
- if (isset($refresh)) {
+
+ if (isset($_GET['refresh'])) {
header("HTTP/1.1 200");
- header("Refresh: $refresh; url=""
+ header("Refresh: " . $_GET['refresh'] . "; url=""
addCacheControl();
return;
}
- $code = $_GET['code'];
- if (!isset($code))
+ if (!isset($_GET['code']))
header("HTTP/1.1 302 Found");
- elseif ($code == 308) {
+ elseif ($_GET['code'] == 308) {
# Apache 2.2 (and possibly some newer versions) cannot generate a reason string for code 308, and sends a 500 error instead.
header("HTTP/1.1 308 Permanent Redirect");
} else
- header("HTTP/1.1 $code");
+ header("HTTP/1.1 " . $_GET['code']);
header("Location: $url");
addCacheControl();
?>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,2 @@
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<audio src="" _onloadedmetadata_="alertAndDone('PASS')" _onerror_="alertAndDone('FAIL')"></audio>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/resources/balls-of-the-orient.aif' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<audio src="" _onloadedmetadata_="alertAndDone('FAIL')" _onerror_="alertAndDone('PASS')"></audio>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,3 @@
+Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+<style>
+@font-face {
+ font-family: "Ahem";
+ src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url="" format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+ window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/resources/Ahem.woff' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php">
+<style>
+@font-face {
+ font-family: "Ahem";
+ src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url="" format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+ window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,3 @@
+Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<img src="" width="128" height="128">
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<img src="" width="128" height="128">
+</body>
+</html>
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg (from rev 198291, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg) (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <defs>
+ <!-- Based on DejaVu Serif (http://dejavu-fonts.org/wiki/index.php?title=License) -->
+ <font id="ABCFont" horiz-adv-x="1716">
+ <font-face
+ font-family="DejaVu Serif"
+ font-weight="400"
+ font-stretch="normal"
+ units-per-em="2048"
+ panose-1="2 6 6 3 5 6 5 2 2 4"
+ ascent="1556"
+ descent="-492"
+ x-height="1063"
+ cap-height="1493"
+ bbox="-1576 -710 3439 2544"
+ underline-thickness="90"
+ underline-position="-85"
+ unicode-range="U+0020-U+1D7E1"
+ />
+
+ <missing-glyph horiz-adv-x="1229" d="M102 -362v1806h1024v-1806h-1024zM217 -248h795v1577h-795v-1577z" />
+
+ <glyph glyph-name="space" unicode=" " horiz-adv-x="651" />
+
+ <glyph glyph-name="a" unicode="a" horiz-adv-x="1221"
+ d="M815 334v225h-237q-137 0 -204 -59t-67 -181q0 -111 68 -176t184 -65q115 0 185.5 71t70.5 185zM999 664v-558h164v-106h-348v115q-61 -74 -141 -109t-187 -35q-177 0 -281 94t-104 254q0 165 119 256t336 91h258v73q0 121 -73.5 187.5t-206.5 66.5q-110 0 -175 -50t-81 -148h-95v215q96 41 186.5 61.5t176.5 20.5q221 0 336.5 -109.5t115.5 -318.5z" />
+ <glyph glyph-name="b" unicode="b" horiz-adv-x="1311"
+ d="M236 106v1344h-177v106h361v-659q54 100 137.5 147.5t206.5 47.5q196 0 320 -155t124 -405t-124 -405.5t-320 -155.5q-123 0 -206.5 47.5t-137.5 147.5v-166h-361v106h177zM420 479q0 -192 73.5 -292.5t213.5 -100.5q141 0 213.5 113t72.5 333q0 221 -72.5 333t-213.5 112q-140 0 -213.5 -101t-73.5 -292v-105z" />
+ <glyph glyph-name="c" unicode="c" horiz-adv-x="1147"
+ d="M1053 319q-39 -170 -150 -259t-287 -89q-232 0 -373 153.5t-141 407.5q0 255 141 407.5t373 152.5q101 0 201 -23.5t201 -71.5v-272h-107q-21 140 -91.5 204t-201.5 64q-149 0 -225 -115.5t-76 -345.5t75.5 -346t225.5 -116q119 0 190 62t97 187h148z" />
+ <glyph glyph-name="ellipsis" unicode="…" horiz-adv-x="1638" d="M133 0v268h279v-268h-279zM680 0v268h278v-268h-278zM1225 0v268h278v-268h-278z" />
+ </font>
+ </defs>
+</svg>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+ <html xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <script type="text/_javascript_">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ alert("FAIL");
+ </script>
+ </body>
+ </html>
+</xsl:template>
+</xsl:stylesheet>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+ <html xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <script type="text/_javascript_">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ alert("PASS");
+ </script>
+ </body>
+ </html>
+</xsl:template>
+</xsl:stylesheet>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,3 @@
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <rect x="0" y="0" width="100px" height="100px" fill="green"/>
+</svg>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,3 @@
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <rect x="0" y="0" width="100px" height="100px" fill="red"/>
+</svg>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,13 @@
+<?php
+header("Content-Type: application/xhtml+xml");
+header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'");
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+echo '<?xml-stylesheet type="text/xsl" href="" . "\n";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,20 @@
+<?php
+header("Content-Type: application/xhtml+xml");
+header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'");
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+echo '<?xml-stylesheet type="text/xsl" href="" . "\n";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+<script type="text/_javascript_">
+//<![CDATA[
+if (window.testRunner)
+ testRunner.dumpAsText();
+alert("PASS");
+//]]>
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,2 @@
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'">
+<script src="" _onerror_="alertAndDone('FAIL')"></script>
+</head>
+<body>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
+
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'">
+<script src="" _onerror_="alertAndDone('PASS')"></script>
+</head>
+<body>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,2 @@
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+<link rel="stylesheet" href="" _onload_="alertAndDone('PASS')" _onerror_="alertAndDone('FAIL')">
+</head>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load the stylesheet 'http://localhost:8000/security/contentSecurityPolicy/resources/blue.css' because it violates the following Content Security Policy directive: "style-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php">
+<link rel="stylesheet" href="" _onload_="alertAndDone('FAIL')" _onerror_="alertAndDone('PASS')">
+</head>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,3 @@
+Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<svg viewBox="0 0 100 100">
+ <font-face>
+ <font-face-src>
+ <font-face-uri font-family="ABCFont" xlink:href=""
+ </font-face-src>
+ </font-face>
+</svg>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/security/contentSecurityPolicy/resources/ABCFont.svg' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<svg viewBox="0 0 100 100">
+ <font-face>
+ <font-face-src>
+ <font-face-uri font-family="ABCFont" xlink:href=""
+ </font-face-src>
+ </font-face>
+</svg>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,3 @@
+Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<img src="" width="128" height="128">
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/contentSecurityPolicy/resources/red-square.svg' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<img src="" width="128" height="128">
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,2 @@
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<video>
+ <track src="" kind="captions" _onload_="alertAndDone('PASS')" _onerror_="alertAndDone('FAIL')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<video>
+ <track src="" kind="captions" _onload_="alertAndDone('FAIL')" _onerror_="alertAndDone('PASS')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html (198291 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -24,7 +24,7 @@
fontFaceSrc.appendChild(fontFaceURI);
fontFace.setAttributeNS(null, "font-family", "ABCFont");
- fontFaceURI.setAttributeNS("http://www.w3.org/1999/xlink", "href", "resources/ABCFont.svg#ABCFont");
+ fontFaceURI.setAttributeNS("http://www.w3.org/1999/xlink", "href", "../resources/ABCFont.svg#ABCFont");
}
runTest();
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg (198291 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg 2016-03-16 19:46:49 UTC (rev 198292)
@@ -1,35 +0,0 @@
-<?xml version="1.0"?>
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
- <defs>
- <!-- Based on DejaVu Serif (http://dejavu-fonts.org/wiki/index.php?title=License) -->
- <font id="ABCFont" horiz-adv-x="1716">
- <font-face
- font-family="DejaVu Serif"
- font-weight="400"
- font-stretch="normal"
- units-per-em="2048"
- panose-1="2 6 6 3 5 6 5 2 2 4"
- ascent="1556"
- descent="-492"
- x-height="1063"
- cap-height="1493"
- bbox="-1576 -710 3439 2544"
- underline-thickness="90"
- underline-position="-85"
- unicode-range="U+0020-U+1D7E1"
- />
-
- <missing-glyph horiz-adv-x="1229" d="M102 -362v1806h1024v-1806h-1024zM217 -248h795v1577h-795v-1577z" />
-
- <glyph glyph-name="space" unicode=" " horiz-adv-x="651" />
-
- <glyph glyph-name="a" unicode="a" horiz-adv-x="1221"
- d="M815 334v225h-237q-137 0 -204 -59t-67 -181q0 -111 68 -176t184 -65q115 0 185.5 71t70.5 185zM999 664v-558h164v-106h-348v115q-61 -74 -141 -109t-187 -35q-177 0 -281 94t-104 254q0 165 119 256t336 91h258v73q0 121 -73.5 187.5t-206.5 66.5q-110 0 -175 -50t-81 -148h-95v215q96 41 186.5 61.5t176.5 20.5q221 0 336.5 -109.5t115.5 -318.5z" />
- <glyph glyph-name="b" unicode="b" horiz-adv-x="1311"
- d="M236 106v1344h-177v106h361v-659q54 100 137.5 147.5t206.5 47.5q196 0 320 -155t124 -405t-124 -405.5t-320 -155.5q-123 0 -206.5 47.5t-137.5 147.5v-166h-361v106h177zM420 479q0 -192 73.5 -292.5t213.5 -100.5q141 0 213.5 113t72.5 333q0 221 -72.5 333t-213.5 112q-140 0 -213.5 -101t-73.5 -292v-105z" />
- <glyph glyph-name="c" unicode="c" horiz-adv-x="1147"
- d="M1053 319q-39 -170 -150 -259t-287 -89q-232 0 -373 153.5t-141 407.5q0 255 141 407.5t373 152.5q101 0 201 -23.5t201 -71.5v-272h-107q-21 140 -91.5 204t-201.5 64q-149 0 -225 -115.5t-76 -345.5t75.5 -346t225.5 -116q119 0 190 62t97 187h148z" />
- <glyph glyph-name="ellipsis" unicode="…" horiz-adv-x="1638" d="M133 0v268h279v-268h-279zM680 0v268h278v-268h-278zM1225 0v268h278v-268h-278z" />
- </font>
- </defs>
-</svg>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,2 @@
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<video src="" _onloadedmetadata_="alertAndDone('PASS')" _onerror_="alertAndDone('FAIL')"></video>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/resources/test.mp4' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<video src="" _onloadedmetadata_="alertAndDone('FAIL')" _onerror_="alertAndDone('PASS')"></video>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,7 @@
+ALERT: PASS
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+ testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.xsl' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html (0 => 198292)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+ testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src=""
+</body>
+</html>
Modified: trunk/LayoutTests/platform/efl/TestExpectations (198291 => 198292)
--- trunk/LayoutTests/platform/efl/TestExpectations 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/platform/efl/TestExpectations 2016-03-16 19:46:49 UTC (rev 198292)
@@ -643,7 +643,6 @@
webkit.org/b/153866 http/tests/media/video-served-as-text.html [ Crash ]
webkit.org/b/153866 http/tests/media/video-throttled-load-metadata.html [ Crash ]
webkit.org/b/153866 http/tests/media/video-useragent.html [ Crash ]
-webkit.org/b/153866 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Crash ]
webkit.org/b/153866 http/tests/security/inactive-document-with-empty-security-origin.html [ Crash ]
webkit.org/b/153866 http/tests/security/isolatedWorld/userGestureEvents.html [ Crash ]
webkit.org/b/153866 http/tests/security/local-video-source-from-remote.html [ Crash ]
@@ -2966,3 +2965,6 @@
fast/scrolling/rtl-scrollbars-overflow-padding.html [ ImageOnlyFailure ]
fast/scrolling/rtl-scrollbars-overflow-simple.html [ ImageOnlyFailure ]
fast/scrolling/rtl-scrollbars-overflow.html [ ImageOnlyFailure ]
+
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 webkit.org/b/153866 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
Modified: trunk/LayoutTests/platform/gtk/TestExpectations (198291 => 198292)
--- trunk/LayoutTests/platform/gtk/TestExpectations 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/platform/gtk/TestExpectations 2016-03-16 19:46:49 UTC (rev 198292)
@@ -691,6 +691,8 @@
webkit.org/b/154390 http/tests/media/hls/hls-accessiblity-describes-video.html [ Timeout Failure ]
webkit.org/b/154390 http/tests/media/hls/video-cookie.html [ Failure ]
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
#////////////////////////////////////////////////////////////////////////////////////////
# End of Expected failures
Added: trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,2 @@
+ALERT: FAIL
+
Added: trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (0 => 198292)
--- trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
@@ -0,0 +1,2 @@
+ALERT: FAIL
+
Modified: trunk/LayoutTests/platform/mac/TestExpectations (198291 => 198292)
--- trunk/LayoutTests/platform/mac/TestExpectations 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2016-03-16 19:46:49 UTC (rev 198292)
@@ -1342,3 +1342,10 @@
[ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow-padding.html [ ImageOnlyFailure ]
[ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow-simple.html [ ImageOnlyFailure ]
[ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow.html [ ImageOnlyFailure ]
+
+# Content Security Policy for media redirects is not supported on some OSes.
+[ Yosemite ElCapitan ] http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html [ Failure ]
+[ Yosemite ElCapitan ] http/tests/security/contentSecurityPolicy/video-redirect-blocked.html [ Failure ]
+
+webkit.org/b/155505 [ ElCapitan+ ] http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 [ ElCapitan+ ] http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
Modified: trunk/Source/WebCore/ChangeLog (198291 => 198292)
--- trunk/Source/WebCore/ChangeLog 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/ChangeLog 2016-03-16 19:46:49 UTC (rev 198292)
@@ -1,3 +1,86 @@
+2016-03-16 Daniel Bates <[email protected]>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Fixes an issue where the Content Security Policy of the page was not enforced
+ on redirects when loading a media subresource via an HTML video or HTML audio
+ element.
+
+ Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html
+
+ * inspector/InspectorPageAgent.cpp:
+ (WebCore::InspectorPageAgent::cachedResourceContent): Treat media resources as raw resources just as we do currently.
+ (WebCore::InspectorPageAgent::cachedResourceType): Ditto.
+ * loader/MediaResourceLoader.cpp:
+ (WebCore::MediaResourceLoader::requestResource): Modified to use CachedResourceLoader::requestMedia() instead
+ of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
+ resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
+ initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
+ more details.
+ * loader/ResourceLoadInfo.cpp:
+ (WebCore::toResourceType): Treat media resources as raw resources just as we do currently. Also, add cases for
+ CachedResource::LinkPrefetch and CachedResource::LinkSubresource (when ENABLE(LINK_PREFETCH) is enabled) and
+ remove the default statement to force a compile-time error when a new CachedResource enumerator is added and
+ the switch block in this function is not updated.
+ * loader/SubresourceLoader.cpp:
+ (WebCore::logResourceLoaded): Ditto.
+ * loader/cache/CachedRawResource.cpp:
+ (WebCore::CachedRawResource::CachedRawResource): Substitute CachedResource::isMainOrMediaOrRawResource() for
+ CachedResource::isMainOrRawResource() as the latter was renamed to the former.
+ * loader/cache/CachedRawResource.h:
+ (isType): Ditto.
+ * loader/cache/CachedResource.cpp:
+ (WebCore::defaultPriorityForResourceType): Use priority ResourceLoadPriority::Medium for media resources just as
+ we do currently.
+ * loader/cache/CachedResource.h:
+ (WebCore::CachedResource::isMainOrMediaOrRawResource): Formerly named isMainOrRawResource. Returns true if the type
+ of this resource is a main resource, media resource, or raw resource.
+ (WebCore::CachedResource::isMainOrRawResource): Deleted.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::createResource): Treat media resources as raw resources just as we do currently.
+ (WebCore::CachedResourceLoader::requestMedia): Added.
+ (WebCore::contentTypeFromResourceType): Consider media resources as MixedContentChecker::ContentType::Active
+ just as we do currently.
+ (WebCore::CachedResourceLoader::checkInsecureContent): Apply the mixed content policy to media resources
+ just as we do currently.
+ (WebCore::CachedResourceLoader::canRequest): Apply the Same Origin Policy to media resources just as we
+ do currently. Query the Content Security Policy of the page to determine if the media resource can be
+ requested.
+ (WebCore::CachedResourceLoader::determineRevalidationPolicy): Substitute CachedResource::isMainOrMediaOrRawResource()
+ for CachedResource::isMainOrRawResource() as the latter was renamed to the former.
+ * loader/cache/CachedResourceLoader.h:
+ * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+ (WebCore::WebCoreAVFResourceLoader::startLoading): Modified to use CachedResourceLoader::requestMedia() instead
+ of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
+ resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
+ initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
+ more details. Additionally, simplified code that determined whether to request the media resource or error out
+ by coalescing two conditional expressions into one conditional on whether we have a loader and substituted
+ nullptr for 0.
+
2016-03-16 Chris Dumez <[email protected]>
Unreviewed, rolling out r198235, r198240, r198241, and
Modified: trunk/Source/WebCore/inspector/InspectorPageAgent.cpp (198291 => 198292)
--- trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2016-03-16 19:46:49 UTC (rev 198292)
@@ -163,6 +163,7 @@
case CachedResource::Script:
*result = downcast<CachedScript>(*cachedResource).script().toString();
return true;
+ case CachedResource::MediaResource:
case CachedResource::RawResource: {
auto* buffer = cachedResource->resourceBuffer();
if (!buffer)
@@ -314,6 +315,7 @@
return InspectorPageAgent::StylesheetResource;
case CachedResource::Script:
return InspectorPageAgent::ScriptResource;
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
return InspectorPageAgent::XHRResource;
case CachedResource::MainResource:
Modified: trunk/Source/WebCore/loader/MediaResourceLoader.cpp (198291 => 198292)
--- trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2016-03-16 19:46:49 UTC (rev 198292)
@@ -55,13 +55,14 @@
RequestOriginPolicy corsPolicy = !m_crossOriginMode.isNull() ? PotentiallyCrossOriginEnabled : UseDefaultOriginRestrictionsForType;
StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
+ // FIXME: Skip Content Security Policy check if the element that inititated this request
+ // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching));
if (!m_crossOriginMode.isNull())
updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
- CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestRawResource(cacheRequest);
+ CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestMedia(cacheRequest);
if (!resource)
return nullptr;
Modified: trunk/Source/WebCore/loader/ResourceLoadInfo.cpp (198291 => 198292)
--- trunk/Source/WebCore/loader/ResourceLoadInfo.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/ResourceLoadInfo.cpp 2016-03-16 19:46:49 UTC (rev 198292)
@@ -55,6 +55,7 @@
#endif
return ResourceType::Font;
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
return ResourceType::Raw;
@@ -62,8 +63,11 @@
case CachedResource::TextTrackResource:
return ResourceType::Media;
#endif
- default:
+#if ENABLE(LINK_PREFETCH)
+ case CachedResource::LinkPrefetch:
+ case CachedResource::LinkSubresource:
ASSERT_NOT_REACHED();
+#endif
};
}
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (198291 => 198292)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-03-16 19:46:49 UTC (rev 198292)
@@ -350,6 +350,7 @@
#endif
resourceType = DiagnosticLoggingKeys::fontKey();
break;
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
resourceType = DiagnosticLoggingKeys::rawKey();
break;
Modified: trunk/Source/WebCore/loader/cache/CachedRawResource.cpp (198291 => 198292)
--- trunk/Source/WebCore/loader/cache/CachedRawResource.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedRawResource.cpp 2016-03-16 19:46:49 UTC (rev 198292)
@@ -42,7 +42,7 @@
, m_identifier(0)
, m_allowEncodedDataReplacement(true)
{
- ASSERT(isMainOrRawResource());
+ ASSERT(isMainOrMediaOrRawResource());
}
const char* CachedRawResource::calculateIncrementalDataChunk(SharedBuffer* data, unsigned& incrementalDataLength)
Modified: trunk/Source/WebCore/loader/cache/CachedRawResource.h (198291 => 198292)
--- trunk/Source/WebCore/loader/cache/CachedRawResource.h 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedRawResource.h 2016-03-16 19:46:49 UTC (rev 198292)
@@ -95,7 +95,7 @@
} // namespace WebCore
SPECIALIZE_TYPE_TRAITS_BEGIN(WebCore::CachedRawResource)
- static bool isType(const WebCore::CachedResource& resource) { return resource.isMainOrRawResource(); }
+ static bool isType(const WebCore::CachedResource& resource) { return resource.isMainOrMediaOrRawResource(); }
SPECIALIZE_TYPE_TRAITS_END()
#endif // CachedRawResource_h
Modified: trunk/Source/WebCore/loader/cache/CachedResource.cpp (198291 => 198292)
--- trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-03-16 19:46:49 UTC (rev 198292)
@@ -74,6 +74,7 @@
#if ENABLE(SVG_FONTS)
case CachedResource::SVGFontResource:
#endif
+ case CachedResource::MediaResource:
case CachedResource::FontResource:
case CachedResource::RawResource:
return ResourceLoadPriority::Medium;
Modified: trunk/Source/WebCore/loader/cache/CachedResource.h (198291 => 198292)
--- trunk/Source/WebCore/loader/cache/CachedResource.h 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedResource.h 2016-03-16 19:46:49 UTC (rev 198292)
@@ -69,6 +69,7 @@
#if ENABLE(SVG_FONTS)
SVGFontResource,
#endif
+ MediaResource,
RawResource,
SVGDocumentResource
#if ENABLE(XSLT)
@@ -159,8 +160,8 @@
bool areAllClientsXMLHttpRequests() const;
bool isImage() const { return type() == ImageResource; }
- // FIXME: CachedRawResource could be either a main resource or a raw XHR resource.
- bool isMainOrRawResource() const { return type() == MainResource || type() == RawResource; }
+ // FIXME: CachedRawResource could be a main resource, an audio/video resource, or a raw XHR/icon resource.
+ bool isMainOrMediaOrRawResource() const { return type() == MainResource || type() == MediaResource || type() == RawResource; }
bool ignoreForRequestCount() const
{
return type() == MainResource
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (198291 => 198292)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-03-16 19:46:49 UTC (rev 198292)
@@ -100,6 +100,7 @@
#endif
case CachedResource::FontResource:
return new CachedFont(request, sessionID);
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
case CachedResource::MainResource:
return new CachedRawResource(request, type, sessionID);
@@ -269,6 +270,11 @@
}
#endif
+CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestMedia(CachedResourceRequest& request)
+{
+ return downcast<CachedRawResource>(requestResource(CachedResource::MediaResource, request).get());
+}
+
CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestRawResource(CachedResourceRequest& request)
{
return downcast<CachedRawResource>(requestResource(CachedResource::RawResource, request).get());
@@ -295,6 +301,7 @@
return MixedContentChecker::ContentType::Active;
#endif
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
case CachedResource::SVGDocumentResource:
return MixedContentChecker::ContentType::Active;
@@ -337,6 +344,7 @@
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
#endif
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
case CachedResource::ImageResource:
#if ENABLE(SVG_FONTS)
@@ -384,6 +392,7 @@
#if ENABLE(SVG_FONTS)
case CachedResource::SVGFontResource:
#endif
+ case CachedResource::MediaResource:
case CachedResource::FontResource:
case CachedResource::RawResource:
#if ENABLE(LINK_PREFETCH)
@@ -446,12 +455,13 @@
case CachedResource::LinkSubresource:
#endif
break;
+ case CachedResource::MediaResource:
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
+#endif
if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck))
return false;
break;
-#endif
}
// SVG Images have unique security rules that prevent all subresource requests except for data urls.
@@ -742,7 +752,7 @@
// FIXME: We should use the same cache policy for all resource types. The raw resource policy is overly strict
// while the normal subresource policy is too loose.
- if (existingResource->isMainOrRawResource()) {
+ if (existingResource->isMainOrMediaOrRawResource()) {
bool strictPolicyDisabled = frame()->loader().isStrictRawResourceValidationPolicyDisabledForTesting();
bool canReuseRawResource = strictPolicyDisabled || downcast<CachedRawResource>(*existingResource).canReuse(request);
if (!canReuseRawResource)
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.h (198291 => 198292)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-03-16 19:46:49 UTC (rev 198292)
@@ -76,6 +76,7 @@
CachedResourceHandle<CachedCSSStyleSheet> requestUserCSSStyleSheet(CachedResourceRequest&);
CachedResourceHandle<CachedScript> requestScript(CachedResourceRequest&);
CachedResourceHandle<CachedFont> requestFont(CachedResourceRequest&, bool isSVG);
+ CachedResourceHandle<CachedRawResource> requestMedia(CachedResourceRequest&);
CachedResourceHandle<CachedRawResource> requestRawResource(CachedResourceRequest&);
CachedResourceHandle<CachedRawResource> requestMainResource(CachedResourceRequest&);
CachedResourceHandle<CachedSVGDocument> requestSVGDocument(CachedResourceRequest&);
Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm (198291 => 198292)
--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2016-03-16 19:46:49 UTC (rev 198292)
@@ -67,15 +67,16 @@
NSURLRequest *nsRequest = [m_avRequest.get() request];
- // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
+ // FIXME: Skip Content Security Policy check if the element that inititated this request
+ // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
CachedResourceRequest request(nsRequest, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::DisallowCaching));
request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
- CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader();
- m_resource = loader ? loader->requestRawResource(request) : 0;
- if (m_resource)
+ if (CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader()) {
+ m_resource = loader->requestMedia(request);
m_resource->addClient(this);
- else {
+ } else {
+ m_resource = nullptr;
LOG_ERROR("Failed to start load for media at url %s", [[[nsRequest URL] absoluteString] UTF8String]);
[m_avRequest.get() finishLoadingWithError:0];
}
Modified: trunk/Source/WebKit2/ChangeLog (198291 => 198292)
--- trunk/Source/WebKit2/ChangeLog 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebKit2/ChangeLog 2016-03-16 19:46:49 UTC (rev 198292)
@@ -1,3 +1,16 @@
+2016-03-16 Daniel Bates <[email protected]>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Use 0ms as the maximum buffering time for media resource just as we do currently.
+
+ * WebProcess/Network/WebLoaderStrategy.cpp:
+ (WebKit::maximumBufferingTime):
+
2016-03-16 Chris Dumez <[email protected]>
Unreviewed, rolling out r198235, r198240, r198241, and
Modified: trunk/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp (198291 => 198292)
--- trunk/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp 2016-03-16 19:46:49 UTC (rev 198292)
@@ -106,6 +106,7 @@
return std::chrono::milliseconds::max();
case CachedResource::ImageResource:
return 500_ms;
+ case CachedResource::MediaResource:
case CachedResource::MainResource:
case CachedResource::RawResource:
case CachedResource::SVGDocumentResource:
