Bug 154177

Summary: CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, bfulgham, commit-queue, czirkos.zoltan, dbates, ksajxai, mkwst, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar, WebExposed
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch and Layout Tests none

Description Daniel Bates 2016-02-12 11:26:07 PST
Following up from bug #112573 and bug #153748, we should remove the ENABLE(CSP_NEXT)-guard around the code in ContentSecurityPolicy::protocolMatchesSelf() so that we allow a schemeless source expression to match against a HTTP or HTTPS resource.

For example, assume the page http://www.example.com has Content Security Policy script-src example.com. If the page loads an external JavaScript script https://example.com/script.js then the load will be blocked by the Content Security Policy of the page because the scheme of the page (http) differs from the scheme of the requested script (https). But the load should be allowed by <https://www.w3.org/TR/CSP2/#match-source-expression> (21 July 2015).
Comment 1 Daniel Bates 2016-02-12 11:26:39 PST
<rdar://problem/22708772>
Comment 2 Daniel Bates 2016-02-12 11:47:12 PST
Created attachment 271196 [details]
Patch and Layout Tests
Comment 3 Brent Fulgham 2016-02-15 09:54:05 PST
Comment on attachment 271196 [details]
Patch and Layout Tests

r=me.
Comment 4 Daniel Bates 2016-02-15 10:53:56 PST
Comment on attachment 271196 [details]
Patch and Layout Tests

Clearing flags on attachment: 271196

Committed r196581: <http://trac.webkit.org/changeset/196581>
Comment 5 Daniel Bates 2016-02-15 10:53:59 PST
All reviewed patches have been landed.  Closing bug.
Comment 6 Daniel Bates 2016-02-15 20:28:29 PST
*** Bug 146723 has been marked as a duplicate of this bug. ***
Comment 7 Czirkos Zoltan 2017-09-10 05:56:47 PDT
Is this patch supposed to be in iOS 9.3.5?
The bug still exists on an iPhone 4 which is claiming to be up to date, although the date of closing the bug is February 2016.