Bug 153153

Summary: CSP: object-src directive should prohibit creation of nested browsing context
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, commit-queue, dbates, japhet, mkwst, webkit-bug-importer
Priority: P2 Keywords: BlinkMergeCandidate, InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch and Layout Tests bfulgham: review+

Description Daniel Bates 2016-01-15 15:01:10 PST
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=164952>.

CSP: Check <param> element values against the document's CSP before loading.

We ought to take account of the 'param' element parsing behavior that happens in
'HTMLObjectElement'. This patch moves the pluginIsLoadable check to make that
happen.

To avoid 'setTimeout' in the test, and to align with the spec[1], this patch also
starts dispatching an 'error' event on load failure for 'object' elements.

[1]: #4.6 ("If the load failed...") of http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-object-element
Comment 1 Radar WebKit Bug Importer 2016-01-27 20:37:33 PST
<rdar://problem/24383209>
Comment 2 Daniel Bates 2016-03-04 17:15:54 PST
Created attachment 273059 [details]
Patch and Layout Tests
Comment 3 Brent Fulgham 2016-03-04 21:37:28 PST
Comment on attachment 273059 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=273059&action=review

Very nice! r=me.

> LayoutTests/TestExpectations:-851
> -webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html

Hooray!
Comment 4 Daniel Bates 2016-03-07 12:21:10 PST
Committed r197697: <http://trac.webkit.org/changeset/197697>