153160 2016-01-15 15:12:39 -0800 CSP: Don't inherit parent's CSP in PluginDocuments 2022-10-20 09:40:53 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All RESOLVED WORKSFORME BlinkMergeCandidate, InRadar P2 Normal --- 1 dbates dbates bfulgham rreno webkit-bug-importer oldest_to_newest 1155982 0 dbates 2016-01-15 15:12:39 -0800 We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=191037>. Don't inherit parent's CSP in PluginDocuments Inheriting the CSP in a PluginDocument causes <iframe src="foo.pdf"> to be blocked if the parent's CSP forbids <embed src="foo.pdf">, as the iframe turns into a PluginDocument with an <embed> tag inside it. The only exception is that the plugin-types directive is still inherited from a parent document to a child PluginDocument, which preserves the current behavior and is required by the CSP spec. 1159615 1 webkit-bug-importer 2016-01-27 20:49:05 -0800 <rdar://problem/24383285> 1907075 2 rreno 2022-10-20 09:35:35 -0700 I can't reproduce the bug this Blink revision fixed. index.html: ----------- <!DOCTYPE html> <iframe src="plugin-test.html"></iframe> plugin-test.html: ---------------- <!DOCTYPE html> <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> <iframe src="foo.pdf"></iframe> The above example displays the PDF as expected. Another attempt I made was to simulate what the tests in that revision simulated with a python server which responds to any GET request with Content-Type: application/x-webkit-netscape-test Content-Security-Policy: object-src 'none' <h2>test</h2> This causes WebKit to initiate a download of a plain text file containing the text "test" At no point does CSP block anything. 1907077 3 rreno 2022-10-20 09:39:50 -0700 Additionally, this example also displays the PDF as expected. <!DOCTYPE html> <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> <iframe src="foo.pdf"></iframe> 1907078 4 rreno 2022-10-20 09:40:53 -0700 (In reply to Ryan Reno from comment #3) > Additionally, this example also displays the PDF as expected. > > <!DOCTYPE html> > <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> > <iframe src="foo.pdf"></iframe> actually I don't know if that's expected or not? Maybe that's a separate issue.