155182 2016-03-08 12:20:03 -0800 Web Inspector: Images being blocked by CSP 2.0 2016-03-08 13:56:07 -0800 1 1 1 Unclassified WebKit Web Inspector WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Normal --- 1 joepeck joepeck bburg bfulgham commit-queue dbates graouts joepeck mattbaker nvasilyev timothy webkit-bug-importer oldest_to_newest 1172132 0 joepeck 2016-03-08 12:20:03 -0800 * SUMMARY All inspector images (file://) are being blocked by CSP 2.0. Warnings like: CONSOLE ERROR Refused to load the image 'file:///Users/pecoraro/Build/Release/WebInspectorUI.framework/Resources/Images/UserInputPrompt.svg' because it violates the following Content Security Policy directive: "img-src *". * NOTES - Inspector includes "file:" and "blob:" image resources. 1172134 1 webkit-bug-importer 2016-03-08 12:20:50 -0800 <rdar://problem/25040640> 1172136 2 273314 joepeck 2016-03-08 12:21:33 -0800 Created attachment 273314 [PATCH] Proposed Fix 1172138 3 273315 joepeck 2016-03-08 12:29:25 -0800 Created attachment 273315 [PATCH] Better Fix (blob for font-src) Missed out on font-src blob:. Also added for media-src just in case. 1172148 4 273315 dbates 2016-03-08 12:37:08 -0800 Comment on attachment 273315 [PATCH] Better Fix (blob for font-src) View in context: https://bugs.webkit.org/attachment.cgi?id=273315&action=review > Source/WebInspectorUI/UserInterface/Main.html:29 > + <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * file: blob:; connect-src *; media-src * blob:; font-src * blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"> This is OK as-is. It is unnecessary to explicitly add "blob:" to the media-src directive as * will match blob URLs. 1172204 5 273315 commit-queue 2016-03-08 13:56:03 -0800 Comment on attachment 273315 [PATCH] Better Fix (blob for font-src) Clearing flags on attachment: 273315 Committed r197802: <http://trac.webkit.org/changeset/197802> 1172205 6 commit-queue 2016-03-08 13:56:07 -0800 All reviewed patches have been landed. Closing bug. 273314 2016-03-08 12:21:33 -0800 2016-03-08 12:29:25 -0800 [PATCH] Proposed Fix csp2.patch text/plain 1498 joepeck ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJJbnNwZWN0b3JVSS9DaGFuZ2VMb2cgYi9Tb3VyY2UvV2Vi SW5zcGVjdG9yVUkvQ2hhbmdlTG9nCmluZGV4IDFiY2U4ZTAuLmZmYmIwZTUgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9XZWJJbnNwZWN0b3JVSS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkluc3BlY3Rv clVJL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE0IEBACisyMDE2LTAzLTA4ICBKb3NlcGggUGVjb3Jh cm8gIDxwZWNvcmFyb0BhcHBsZS5jb20+CisKKyAgICAgICAgV2ViIEluc3BlY3RvcjogSW1hZ2Vz IGJlaW5nIGJsb2NrZWQgYnkgQ1NQIDIuMAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9MTU1MTgyCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNTA0MDY0 MD4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIFVz ZXJJbnRlcmZhY2UvTWFpbi5odG1sOgorICAgICAgICBBbGxvdyBXZWIgSW5zcGVjdG9yIHRvIGxv YWQgZmlsZTogYW5kIGJsb2I6IGltYWdlIHJlc291cmNlcy4KKwogMjAxNi0wMy0wNiAgTmlraXRh IFZhc2lseWV2ICA8bnZhc2lseWV2QGFwcGxlLmNvbT4KIAogICAgICAgICBXZWIgSW5zcGVjdG9y OiBVc2UgaGFsZi1waXhlbCBib3JkZXJzIGZvciBkYXRhIGdyaWRzCmRpZmYgLS1naXQgYS9Tb3Vy Y2UvV2ViSW5zcGVjdG9yVUkvVXNlckludGVyZmFjZS9NYWluLmh0bWwgYi9Tb3VyY2UvV2ViSW5z cGVjdG9yVUkvVXNlckludGVyZmFjZS9NYWluLmh0bWwKaW5kZXggZmI5OWM2NC4uM2ZiNDhlZiAx MDA2NDQKLS0tIGEvU291cmNlL1dlYkluc3BlY3RvclVJL1VzZXJJbnRlcmZhY2UvTWFpbi5odG1s CisrKyBiL1NvdXJjZS9XZWJJbnNwZWN0b3JVSS9Vc2VySW50ZXJmYWNlL01haW4uaHRtbApAQCAt MjYsNyArMjYsNyBAQAogPGh0bWw+CiA8aGVhZD4KICAgICA8bWV0YSBodHRwLWVxdWl2PSJDb250 ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCI+Ci0gICAgPG1ldGEg aHR0cC1lcXVpdj0iQ29udGVudC1TZWN1cml0eS1Qb2xpY3kiIGNvbnRlbnQ9ImRlZmF1bHQtc3Jj ICdzZWxmJzsgaW1nLXNyYyAqOyBjb25uZWN0LXNyYyAqOyBtZWRpYS1zcmMgKjsgZm9udC1zcmMg Kjsgc3R5bGUtc3JjICdzZWxmJyAndW5zYWZlLWlubGluZSc7IHNjcmlwdC1zcmMgJ3NlbGYnICd1 bnNhZmUtaW5saW5lJyI+CisgICAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1TZWN1cml0eS1Q b2xpY3kiIGNvbnRlbnQ9ImRlZmF1bHQtc3JjICdzZWxmJzsgaW1nLXNyYyAqIGZpbGU6IGJsb2I6 OyBjb25uZWN0LXNyYyAqOyBtZWRpYS1zcmMgKjsgZm9udC1zcmMgKjsgc3R5bGUtc3JjICdzZWxm JyAndW5zYWZlLWlubGluZSc7IHNjcmlwdC1zcmMgJ3NlbGYnICd1bnNhZmUtaW5saW5lJyI+CiAK ICAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9IkV4dGVybmFsL0NvZGVNaXJyb3IvY29k ZW1pcnJvci5jc3MiPgogCg== 273315 2016-03-08 12:29:25 -0800 2016-03-08 13:56:03 -0800 [PATCH] Better Fix (blob for font-src) better.patch text/plain 1556 joepeck ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJJbnNwZWN0b3JVSS9DaGFuZ2VMb2cgYi9Tb3VyY2UvV2Vi SW5zcGVjdG9yVUkvQ2hhbmdlTG9nCmluZGV4IDFiY2U4ZTAuLmZlM2YyN2UgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9XZWJJbnNwZWN0b3JVSS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkluc3BlY3Rv clVJL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDE2LTAzLTA4ICBKb3NlcGggUGVjb3Jh cm8gIDxwZWNvcmFyb0BhcHBsZS5jb20+CisKKyAgICAgICAgV2ViIEluc3BlY3RvcjogSW1hZ2Vz IGJlaW5nIGJsb2NrZWQgYnkgQ1NQIDIuMAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9MTU1MTgyCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNTA0MDY0 MD4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIFVz ZXJJbnRlcmZhY2UvTWFpbi5odG1sOgorICAgICAgICBBbGxvdyBXZWIgSW5zcGVjdG9yIHRvIGxv YWQgZmlsZTogYW5kIGJsb2I6IGltYWdlIHJlc291cmNlcy4KKyAgICAgICAgQWxzbyBibG9iOiBt ZWRpYSBhbmQgZm9udCByZXNvdXJjZXMuCisKIDIwMTYtMDMtMDYgIE5pa2l0YSBWYXNpbHlldiAg PG52YXNpbHlldkBhcHBsZS5jb20+CiAKICAgICAgICAgV2ViIEluc3BlY3RvcjogVXNlIGhhbGYt cGl4ZWwgYm9yZGVycyBmb3IgZGF0YSBncmlkcwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkluc3Bl Y3RvclVJL1VzZXJJbnRlcmZhY2UvTWFpbi5odG1sIGIvU291cmNlL1dlYkluc3BlY3RvclVJL1Vz ZXJJbnRlcmZhY2UvTWFpbi5odG1sCmluZGV4IGZiOTljNjQuLjdjODUzMjAgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9XZWJJbnNwZWN0b3JVSS9Vc2VySW50ZXJmYWNlL01haW4uaHRtbAorKysgYi9Tb3Vy Y2UvV2ViSW5zcGVjdG9yVUkvVXNlckludGVyZmFjZS9NYWluLmh0bWwKQEAgLTI2LDcgKzI2LDcg QEAKIDxodG1sPgogPGhlYWQ+CiAgICAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBj b250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPgotICAgIDxtZXRhIGh0dHAtZXF1aXY9 IkNvbnRlbnQtU2VjdXJpdHktUG9saWN5IiBjb250ZW50PSJkZWZhdWx0LXNyYyAnc2VsZic7IGlt Zy1zcmMgKjsgY29ubmVjdC1zcmMgKjsgbWVkaWEtc3JjICo7IGZvbnQtc3JjICo7IHN0eWxlLXNy YyAnc2VsZicgJ3Vuc2FmZS1pbmxpbmUnOyBzY3JpcHQtc3JjICdzZWxmJyAndW5zYWZlLWlubGlu ZSciPgorICAgIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtU2VjdXJpdHktUG9saWN5IiBjb250 ZW50PSJkZWZhdWx0LXNyYyAnc2VsZic7IGltZy1zcmMgKiBmaWxlOiBibG9iOjsgY29ubmVjdC1z cmMgKjsgbWVkaWEtc3JjICogYmxvYjo7IGZvbnQtc3JjICogYmxvYjo7IHN0eWxlLXNyYyAnc2Vs ZicgJ3Vuc2FmZS1pbmxpbmUnOyBzY3JpcHQtc3JjICdzZWxmJyAndW5zYWZlLWlubGluZSciPgog CiAgICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJFeHRlcm5hbC9Db2RlTWlycm9yL2Nv ZGVtaXJyb3IuY3NzIj4KIAo=