308752 2026-02-26 07:26:09 -0800 blob: URLs are allowed in <iframe>s when CSP’s `frame-src` contains `‘self’`. 2026-03-19 09:46:58 -0700 1 1 1 Unclassified WebKit Page Loading WebKit Local Build PC Linux RESOLVED FIXED InRadar P2 Normal --- 1 nikosfan webkit-unassigned beidson bfulgham k_monsen roberto_rodriguez2 webkit-bug-importer oldest_to_newest 2185245 0 478498 nikosfan 2026-02-26 07:26:09 -0800 Created attachment 478498 Test for reproduction Version: WebKitGTK MiniBrowser 2.50.4, 2.47.0 OS: Ubuntu 22.04.3 LTS Description: When `Content-Security-Policy: frame-src ‘self’` is set, an <iframe> whose `src` attribute is a blob: URL is allowed to load. The attached test sets the response header `Content-Security-Policy: frame-src 'self' ` and dynamically creates an <iframe> whose `src` attribute is set to a blob: URL. The embedded document prints the word “run” to the console when it is loaded. Steps to Reproduce: 1) Serve the attached files from an HTTP web server with PHP enabled. 2) Visit self-enables-blob-frame-src.php. 3) Open the browser console and observe whether “run” is printed. Observed Behavior: The <iframe> is loaded and the console prints “run”. Expected Behavior: For <iframe> documents loaded from blob: URLs to be allowed, the blob: scheme should be explicitly listed in the `frame-src` directive. Comparison with other Major Browsers: Chrome, Opera, Brave, Edge, Firefox and Tor block the <iframe> and do not print “run”. Important Notes: - This behavior is observed only for the `frame-src` directive. - This behavior is not observed in the `frame-src` directive’s fallbacks (`child-src` and `default-src`) and `object-src`. 2185246 1 webkit-bug-importer 2026-02-26 07:26:15 -0800 <rdar://problem/171268629> 2191151 2 k_monsen 2026-03-17 15:39:40 -0700 Minor spec compliance, and not a security issue. 2191160 3 roberto_rodriguez2 2026-03-17 15:54:06 -0700 Pull request: https://github.com/WebKit/WebKit/pull/60814 2191750 4 ews-feeder 2026-03-19 09:46:55 -0700 Committed 309559@main (70534942aada): <https://commits.webkit.org/309559@main> Reviewed commits have been landed. Closing PR #60814 and removing active labels. 478498 2026-02-26 07:26:09 -0800 2026-02-26 07:26:09 -0800 Test for reproduction self-enables-blob-frame-src.php application/x-php 513 nikosfan PD9waHAKJGZwPSRfU0VSVkVSWydTRVJWRVJfTkFNRSddOwpoZWFkZXIoIkNvbnRlbnQtU2VjdXJp dHktUG9saWN5OiBmcmFtZS1zcmMgJ3NlbGYnIiwgZmFsc2UpOwo/PgoKPGJvZHk+CiAgPHNjcmlw dD4KICAgIGxldCBodG1sQ29udGVudCA9ICc8c2NyaXB0PmNvbnNvbGUubG9nKCJydW4iKTs8XC9z Y3JpcHQ+JzsgLy8gaHRtbCBkb2N1bWVudCB3aWxsIHByaW50ICdydW4nIGlmIGxvYWRlZAogICAg bGV0IGJsb2JfdXJsID0gVVJMLmNyZWF0ZU9iamVjdFVSTChuZXcgQmxvYihbaHRtbENvbnRlbnRd LCB7IHR5cGU6ICd0ZXh0L2h0bWwnIH0pKTsgLy8gY3JlYXRpbmcgYSBibG9iOiB1cmwgd2l0aCB0 aGlzIGh0bWwKICAgIGxldCBpZnIgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdpZnJhbWUnKTsK ICAgIGlmci5zcmMgPSBibG9iX3VybDsgLy8gc2V0IHRoZSBibG9iOiB1cmwgb24gdGhlIGlmcmFt ZQogICAgZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChpZnIpOwogIDwvc2NyaXB0Pgo8L2JvZHk+