CSP 3: Update Content Security Policy when header sent as part of a 304 response

rreno · rreno · commit 9bcb547791aa · 2023-01-15T10:07:28.000-08:00
https://bugs.webkit.org/show_bug.cgi?id=244637 rdar://99405897 Reviewed by Brent Fulgham. We ignore any headers with the "Content-" prefix in a 304 response. This change special-cases the Content-Security-Policy and Content-Security-Policy-Report-Only headers to be included in the cached response. This has the effect of updating the cache entry's CSP if the server sends a new CSP in a 304 response. * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub-expected.txt: * Source/WebCore/platform/network/CacheValidation.cpp: (WebCore::shouldUpdateHeaderAfterRevalidation): Canonical link: https://commits.webkit.org/258931@main
diff --git a/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub-expected.txt
@@ -2,6 +2,6 @@
 
 PASS Test that the first frame uses nonce abc
 PASS Test that the first frame does not use nonce def
-FAIL Test that the second frame uses nonce def assert_unreached: Unexpected message received Reached unreachable code
-FAIL Test that the second frame does not use nonce abc assert_unreached: Unexpected message received Reached unreachable code
+PASS Test that the second frame uses nonce def
+PASS Test that the second frame does not use nonce abc
 
diff --git a/Source/WebCore/platform/network/CacheValidation.cpp b/Source/WebCore/platform/network/CacheValidation.cpp
@@ -68,6 +68,9 @@ static constexpr ASCIILiteral headerPrefixesToIgnoreAfterRevalidation[] = {
 
 static inline bool shouldUpdateHeaderAfterRevalidation(const String& header)
 {
+    if (header.startsWithIgnoringASCIICase("content-security-"_s))
+        return true;
+
     for (auto& headerToIgnore : headersToIgnoreAfterRevalidation) {
         if (equalIgnoringASCIICase(header, headerToIgnore))
             return false;

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,9 @@ static constexpr ASCIILiteral headerPrefixesToIgnoreAfterRevalidation[] = {`
`68`	`68`
`69`	`69`	`static inline bool shouldUpdateHeaderAfterRevalidation(const String& header)`
`70`	`70`	`{`
	`71`	`+ if (header.startsWithIgnoringASCIICase("content-security-"_s))`
	`72`	`+ return true;`
	`73`	`+`
`71`	`74`	`for (auto& headerToIgnore : headersToIgnoreAfterRevalidation) {`
`72`	`75`	`if (equalIgnoringASCIICase(header, headerToIgnore))`
`73`	`76`	`return false;`