Bug 106084

Summary:

CSP: 'frame-src' should block redirects to invalid sources.

Product:

WebKit

Reporter:

Mike West <mkwst>

Component:

WebCore Misc.

Assignee:

Mike West <mkwst>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, japhet, mkwst+watchlist, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

103582

Attachments:

Description	Flags
Patch	none

Description Mike West 2013-01-04 04:35:18 PST

WebKit currently fails test 95 and 101 on http://csptesting.herokuapp.com/.

These test variations on whitelisting a source via a 'frame-src' directive, and then loading a whitelisted frame from that source which redirects to a non-whitelisted source. This redirection should be blocked, but currently isn't.

Comment 1 Mike West 2013-01-04 04:38:22 PST

Created attachment 181289 [details]
Patch

Comment 2 Mike West 2013-01-04 04:40:03 PST

Hi Adam! This patch moves the CSP check for 'frame-src' out of SubframeLoader and into PolicyChecker, which allows us to validate the whole redirect chain, and also seems like a better location semantically. FrameLoader is pretty complex, however, so I'm not actually sure I'm doing the right thing here.

Would you mind taking a look?

Thanks!

Comment 3 Adam Barth 2013-01-04 09:57:50 PST

Comment on attachment 181289 [details]
Patch

Yeah, putting this in policy checker is much better.

Comment 4 Mike West 2013-01-04 10:51:41 PST

Comment on attachment 181289 [details]
Patch

Glad I interpreted things correctly. Thanks for the review!

Comment 5 WebKit Review Bot 2013-01-04 11:14:42 PST

Comment on attachment 181289 [details]
Patch

Clearing flags on attachment: 181289

Committed r138818: <http://trac.webkit.org/changeset/138818>

Comment 6 WebKit Review Bot 2013-01-04 11:14:45 PST

All reviewed patches have been landed.  Closing bug.