Bug 155505

Summary: Skip Content Security Policy check for a media request using standard schemes initiated from an element in user agent shadow tree
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, jer.noble, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=155509
https://bugs.webkit.org/show_bug.cgi?id=173498
Attachments:
Description Flags
Patch none

Description Daniel Bates 2016-03-15 12:34:06 PDT 
We should explicitly skip enforcing the Content Security Policy (CSP) of the page for media loads that are initiated by an element in a user-agent shadow tree because such elements are considered an implementation detail and should not be exposed to web developers. Currently we implicitly skip enforcement of CSP because media resources are treated as raw resources and we do not apply CSP to raw resources.
Comment 1 Daniel Bates 2016-03-15 12:34:34 PDT 
<rdar://problem/25169452>
Comment 2 Alex Christensen 2016-03-15 23:26:06 PDT 
See https://bugs.webkit.org/show_bug.cgi?id=155509
Comment 3 Daniel Bates 2017-06-16 15:53:43 PDT 
Split off skip enforcing the Content Security Policy (CSP) for media requests to blob: and other external schemes to bug #173498.
Comment 4 Daniel Bates 2017-06-16 16:02:18 PDT 
Created attachment 313151 [details]
Patch
Comment 5 Brent Fulgham 2017-06-20 14:53:02 PDT 
Comment on attachment 313151 [details]
Patch

r=me
Comment 6 Daniel Bates 2017-06-20 15:04:36 PDT 
Comment on attachment 313151 [details]
Patch

Clearing flags on attachment: 313151

Committed r218609: <http://trac.webkit.org/changeset/218609>
Comment 7 Daniel Bates 2017-06-20 15:04:37 PDT 
All reviewed patches have been landed.  Closing bug.