155505 2016-03-15 12:34:06 -0700 Skip Content Security Policy check for a media request using standard schemes initiated from an element in user agent shadow tree 2017-06-20 15:04:37 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build All All RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=155509 https://bugs.webkit.org/show_bug.cgi?id=173498 InRadar P2 Normal --- 1 dbates dbates achristensen bfulgham jer.noble webkit-bug-importer oldest_to_newest 1175047 0 dbates 2016-03-15 12:34:06 -0700 We should explicitly skip enforcing the Content Security Policy (CSP) of the page for media loads that are initiated by an element in a user-agent shadow tree because such elements are considered an implementation detail and should not be exposed to web developers. Currently we implicitly skip enforcement of CSP because media resources are treated as raw resources and we do not apply CSP to raw resources. 1175048 1 dbates 2016-03-15 12:34:34 -0700 <rdar://problem/25169452> 1175294 2 achristensen 2016-03-15 23:26:06 -0700 See https://bugs.webkit.org/show_bug.cgi?id=155509 1320216 3 dbates 2017-06-16 15:53:43 -0700 Split off skip enforcing the Content Security Policy (CSP) for media requests to blob: and other external schemes to bug #173498. 1320221 4 313151 dbates 2017-06-16 16:02:18 -0700 Created attachment 313151 Patch 1321243 5 313151 bfulgham 2017-06-20 14:53:02 -0700 Comment on attachment 313151 Patch r=me 1321247 6 313151 dbates 2017-06-20 15:04:36 -0700 Comment on attachment 313151 Patch Clearing flags on attachment: 313151 Committed r218609: <http://trac.webkit.org/changeset/218609> 1321248 7 dbates 2017-06-20 15:04:37 -0700 All reviewed patches have been landed. Closing bug. 313151 2017-06-16 16:02:18 -0700 2017-06-20 15:04:36 -0700 Patch bug-155505-20170616160217.patch text/plain 4471 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjE4MTk2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZmRkYzZjYmJjZGM0Nzgz MWRiMDFkYmRhNDljM2ViYTljMjg4MjI2YS4uMGEzNzMzMjA0YWJiM2M4ODM4MTk5YmIxZThjZTcx NzM5NDQxZTBkNiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIxIEBACisyMDE3LTA2LTE2ICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAgICBTa2lwIENvbnRlbnQgU2Vj dXJpdHkgUG9saWN5IGNoZWNrIGZvciBhIG1lZGlhIHJlcXVlc3QgdXNpbmcgc3RhbmRhcmQgc2No ZW1lcyBpbml0aWF0ZWQgZnJvbQorICAgICAgICBhbiBlbGVtZW50IGluIHVzZXIgYWdlbnQgc2hh ZG93IHRyZWUKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTE1NTUwNQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vMjUxNjk0NTI+CisKKyAgICAgICAgUmV2 aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhpcyBjaGFuZ2UgbWFrZXMgdGhl IGZvbGxvd2luZyB0ZXN0cyBwYXNzIG9uIGlPUyAxMToKKyAgICAgICAgICAgIGh0dHAvdGVzdHMv c2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3VzZXJBZ2VudFNoYWRvd0RPTS9hbGxvdy12 aWRlby5odG1sCisgICAgICAgICAgICBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0 eVBvbGljeS91c2VyQWdlbnRTaGFkb3dET00vYWxsb3ctYXVkaW8uaHRtbAorCisgICAgICAgICog bG9hZGVyL01lZGlhUmVzb3VyY2VMb2FkZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6TWVkaWFS ZXNvdXJjZUxvYWRlcjo6cmVxdWVzdFJlc291cmNlKToKKyAgICAgICAgKiBwbGF0Zm9ybS9ncmFw aGljcy9hdmZvdW5kYXRpb24vb2JqYy9XZWJDb3JlQVZGUmVzb3VyY2VMb2FkZXIubW06CisgICAg ICAgIChXZWJDb3JlOjpXZWJDb3JlQVZGUmVzb3VyY2VMb2FkZXI6OnN0YXJ0TG9hZGluZyk6CisK IDIwMTctMDYtMTMgIERhbmllbCBCYXRlcyAgPGRhYmF0ZXNAYXBwbGUuY29tPgogCiAgICAgICAg IEltcGxlbWVudCBXM0MgU2VjdXJlIENvbnRleHRzIERyYWZ0IFNwZWNpZmljYXRpb24KZGlmZiAt LWdpdCBhL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9NZWRpYVJlc291cmNlTG9hZGVyLmNwcCBiL1Nv dXJjZS9XZWJDb3JlL2xvYWRlci9NZWRpYVJlc291cmNlTG9hZGVyLmNwcAppbmRleCBjMTcwNTc5 MjEzMmYxNjM3MDZiMTM5YWIzNWRmOWU2ODQ1Y2ZmNGFkLi43MmNhZWE3OWUzOWUwNGZiODI2Yjdh ODllZTM2Yjg3NDJhMzM3NGRmIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvTWVk aWFSZXNvdXJjZUxvYWRlci5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvbG9hZGVyL01lZGlhUmVz b3VyY2VMb2FkZXIuY3BwCkBAIC03Niw4ICs3Niw4IEBAIFJlZlB0cjxQbGF0Zm9ybU1lZGlhUmVz b3VyY2U+IE1lZGlhUmVzb3VyY2VMb2FkZXI6OnJlcXVlc3RSZXNvdXJjZShSZXNvdXJjZVJlcXVl CiAgICAgICAgIHJlcXVlc3QubWFrZVVuY29uZGl0aW9uYWwoKTsKICNlbmRpZgogCi0gICAgLy8g RklYTUU6IFNraXAgQ29udGVudCBTZWN1cml0eSBQb2xpY3kgY2hlY2sgaWYgdGhlIGVsZW1lbnQg dGhhdCBpbml0aWF0ZWQgdGhpcyByZXF1ZXN0IGlzIGluIGEgdXNlci1hZ2VudCBzaGFkb3cgdHJl ZS4gU2VlIDxodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU1NTA1Pi4K LSAgICBDYWNoZWRSZXNvdXJjZVJlcXVlc3QgY2FjaGVSZXF1ZXN0KFdURk1vdmUocmVxdWVzdCks IFJlc291cmNlTG9hZGVyT3B0aW9ucyhTZW5kQ2FsbGJhY2tzLCBEb05vdFNuaWZmQ29udGVudCwg YnVmZmVyaW5nUG9saWN5LCBBbGxvd1N0b3JlZENyZWRlbnRpYWxzLCBDbGllbnRDcmVkZW50aWFs UG9saWN5OjpNYXlBc2tDbGllbnRGb3JDcmVkZW50aWFscywgRmV0Y2hPcHRpb25zOjpDcmVkZW50 aWFsczo6SW5jbHVkZSwgRG9TZWN1cml0eUNoZWNrLCBGZXRjaE9wdGlvbnM6Ok1vZGU6Ok5vQ29y cywgRG9Ob3RJbmNsdWRlQ2VydGlmaWNhdGVJbmZvLCBDb250ZW50U2VjdXJpdHlQb2xpY3lJbXBv c2l0aW9uOjpEb1BvbGljeUNoZWNrLCBEZWZlcnNMb2FkaW5nUG9saWN5OjpBbGxvd0RlZmVyc0xv YWRpbmcsIGNhY2hpbmdQb2xpY3kpKTsKKyAgICBDb250ZW50U2VjdXJpdHlQb2xpY3lJbXBvc2l0 aW9uIGNvbnRlbnRTZWN1cml0eVBvbGljeUltcG9zaXRpb24gPSBtX21lZGlhRWxlbWVudCAmJiBt X21lZGlhRWxlbWVudC0+aXNJblVzZXJBZ2VudFNoYWRvd1RyZWUoKSA/IENvbnRlbnRTZWN1cml0 eVBvbGljeUltcG9zaXRpb246OlNraXBQb2xpY3lDaGVjayA6IENvbnRlbnRTZWN1cml0eVBvbGlj eUltcG9zaXRpb246OkRvUG9saWN5Q2hlY2s7CisgICAgQ2FjaGVkUmVzb3VyY2VSZXF1ZXN0IGNh Y2hlUmVxdWVzdChXVEZNb3ZlKHJlcXVlc3QpLCBSZXNvdXJjZUxvYWRlck9wdGlvbnMoU2VuZENh bGxiYWNrcywgRG9Ob3RTbmlmZkNvbnRlbnQsIGJ1ZmZlcmluZ1BvbGljeSwgQWxsb3dTdG9yZWRD cmVkZW50aWFscywgQ2xpZW50Q3JlZGVudGlhbFBvbGljeTo6TWF5QXNrQ2xpZW50Rm9yQ3JlZGVu dGlhbHMsIEZldGNoT3B0aW9uczo6Q3JlZGVudGlhbHM6OkluY2x1ZGUsIERvU2VjdXJpdHlDaGVj aywgRmV0Y2hPcHRpb25zOjpNb2RlOjpOb0NvcnMsIERvTm90SW5jbHVkZUNlcnRpZmljYXRlSW5m bywgY29udGVudFNlY3VyaXR5UG9saWN5SW1wb3NpdGlvbiwgRGVmZXJzTG9hZGluZ1BvbGljeTo6 QWxsb3dEZWZlcnNMb2FkaW5nLCBjYWNoaW5nUG9saWN5KSk7CiAgICAgY2FjaGVSZXF1ZXN0LnNl dEFzUG90ZW50aWFsbHlDcm9zc09yaWdpbihtX2Nyb3NzT3JpZ2luTW9kZSwgKm1fZG9jdW1lbnQp OwogICAgIGlmIChtX21lZGlhRWxlbWVudCkKICAgICAgICAgY2FjaGVSZXF1ZXN0LnNldEluaXRp YXRvcigqbV9tZWRpYUVsZW1lbnQuZ2V0KCkpOwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUv cGxhdGZvcm0vZ3JhcGhpY3MvYXZmb3VuZGF0aW9uL29iamMvV2ViQ29yZUFWRlJlc291cmNlTG9h ZGVyLm1tIGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vZ3JhcGhpY3MvYXZmb3VuZGF0aW9uL29i amMvV2ViQ29yZUFWRlJlc291cmNlTG9hZGVyLm1tCmluZGV4IDM3YmM0ODczZjlmNTQxZDJlZWEz ZmM3N2NjZmZkMzQ4ZDc2MzZhMWMuLmM4ZTQwM2ExMGJhY2IzOWM5MzAzYzI5ZDNlM2IwMjc3ZTYw YjNiZDcgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2dyYXBoaWNzL2F2Zm91 bmRhdGlvbi9vYmpjL1dlYkNvcmVBVkZSZXNvdXJjZUxvYWRlci5tbQorKysgYi9Tb3VyY2UvV2Vi Q29yZS9wbGF0Zm9ybS9ncmFwaGljcy9hdmZvdW5kYXRpb24vb2JqYy9XZWJDb3JlQVZGUmVzb3Vy Y2VMb2FkZXIubW0KQEAgLTcxLDcgKzcxLDcgQEAgdm9pZCBXZWJDb3JlQVZGUmVzb3VyY2VMb2Fk ZXI6OnN0YXJ0TG9hZGluZygpCiAgICAgcmVzb3VyY2VSZXF1ZXN0LnNldFByaW9yaXR5KFJlc291 cmNlTG9hZFByaW9yaXR5OjpMb3cpOwogCiAgICAgLy8gRklYTUU6IFNraXAgQ29udGVudCBTZWN1 cml0eSBQb2xpY3kgY2hlY2sgaWYgdGhlIGVsZW1lbnQgdGhhdCBpbml0aXRhdGVkIHRoaXMgcmVx dWVzdAotICAgIC8vIGlzIGluIGEgdXNlci1hZ2VudCBzaGFkb3cgdHJlZS4gU2VlIDxodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU1NTA1Pi4KKyAgICAvLyBpcyBpbiBh IHVzZXItYWdlbnQgc2hhZG93IHRyZWUuIFNlZSA8aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hv d19idWcuY2dpP2lkPTE3MzQ5OD4uCiAgICAgQ2FjaGVkUmVzb3VyY2VSZXF1ZXN0IHJlcXVlc3Qo V1RGTW92ZShyZXNvdXJjZVJlcXVlc3QpLCBSZXNvdXJjZUxvYWRlck9wdGlvbnMoU2VuZENhbGxi YWNrcywgRG9Ob3RTbmlmZkNvbnRlbnQsIEJ1ZmZlckRhdGEsIERvTm90QWxsb3dTdG9yZWRDcmVk ZW50aWFscywgQ2xpZW50Q3JlZGVudGlhbFBvbGljeTo6Q2Fubm90QXNrQ2xpZW50Rm9yQ3JlZGVu dGlhbHMsIEZldGNoT3B0aW9uczo6Q3JlZGVudGlhbHM6Ok9taXQsIERvU2VjdXJpdHlDaGVjaywg RmV0Y2hPcHRpb25zOjpNb2RlOjpOb0NvcnMsIERvTm90SW5jbHVkZUNlcnRpZmljYXRlSW5mbywg Q29udGVudFNlY3VyaXR5UG9saWN5SW1wb3NpdGlvbjo6RG9Qb2xpY3lDaGVjaywgRGVmZXJzTG9h ZGluZ1BvbGljeTo6QWxsb3dEZWZlcnNMb2FkaW5nLCBDYWNoaW5nUG9saWN5OjpEaXNhbGxvd0Nh Y2hpbmcpKTsKICAgICBpZiAoYXV0byogbG9hZGVyID0gbV9wYXJlbnQtPnBsYXllcigpLT5jYWNo ZWRSZXNvdXJjZUxvYWRlcigpKQogICAgICAgICBtX3Jlc291cmNlID0gbG9hZGVyLT5yZXF1ZXN0 TWVkaWEoV1RGTW92ZShyZXF1ZXN0KSk7Cg==