Bug 156079

Summary: REGRESSION (r196012): <object>/<embed> with no URL does not match source *
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, mkwst, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar, Regression
Version: WebKit Local Build   
Hardware: All   
OS: All   
Bug Depends on: 153748    
Bug Blocks:    
Attachments:
Description Flags
Example
none
Patch and Layout Tests
bfulgham: review+, buildbot: commit-queue-
Archive of layout-test-results from ews121 for ios-simulator-wk2 none

Description Daniel Bates 2016-03-31 12:45:26 PDT 
Suppose a NPAPI plugin X is installed that support MIME type application/X. Consider a web page with the following markup:

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="object-src *">
</head>
<body>
<object type="application/X"></object>
</body>
</html>

Then plugin X should load. But it does not following <http://trac.webkit.org/changeset/197724> (bug #154122).
Comment 1 Radar WebKit Bug Importer 2016-03-31 12:45:49 PDT 
<rdar://problem/25470805>
Comment 2 Daniel Bates 2016-03-31 12:53:04 PDT 
Created attachment 275312 [details]
Example

An example web page that demonstrates the issue. There should be no console warnings when you view the page.
Comment 3 Daniel Bates 2016-03-31 15:24:32 PDT 
Created attachment 275338 [details]
Patch and Layout Tests
Comment 4 Daniel Bates 2016-03-31 16:15:37 PDT 
From the iOS Sim EWS:

> Regressions: Unexpected text-only failures (4)
>  http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html [ Failure ]
>  http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html [ Failure ]
>  http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html [ Failure ]
>  http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html [ Failure ]

These tests are expected to fail on iOS because we do not support plugins. Will add these tests to the file LayoutTests/platform/ios-simulator/TestExpectations so that they are skipped when running tests in the iOS simulator.
Comment 5 Build Bot 2016-03-31 16:15:48 PDT 
Comment on attachment 275338 [details]
Patch and Layout Tests

Attachment 275338 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/1077512

New failing tests:
http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html
http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html
http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html
http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html
Comment 6 Build Bot 2016-03-31 16:15:51 PDT 
Created attachment 275349 [details]
Archive of layout-test-results from ews121 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews121  Port: ios-simulator-wk2  Platform: Mac OS X 10.10.5
Comment 7 Daniel Bates 2016-03-31 16:16:50 PDT 
(In reply to comment #4)
> From the iOS Sim EWS:
> 
> > Regressions: Unexpected text-only failures (4)
> >  http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html [ Failure ]
> >  http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html [ Failure ]
> >  http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html [ Failure ]
> >  http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html [ Failure ]
> 
> These tests are expected to fail on iOS because we do not support plugins.
> Will add these tests to the file
> LayoutTests/platform/ios-simulator/TestExpectations so that they are skipped
> when running tests in the iOS simulator.

I meant to add that I will update LayoutTests/platform/ios-simulator/TestExpectations before I land this patch.
Comment 8 Brent Fulgham 2016-03-31 17:24:32 PDT 
Comment on attachment 275338 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=275338&action=review

r=me

> Source/WebCore/page/csp/ContentSecurityPolicy.cpp:388
> +    // As per section object-src of the Content Security Policy Level 3 spec., <http://w3c.github.io/webappsec-csp> (EditorĂ¢s Draft, 29 February 2016),

Looks like a smart apostrophe got added here (Editor's Draft)
Comment 9 Daniel Bates 2016-03-31 18:45:40 PDT 
(In reply to comment #8)
> > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:388
> > +    // As per section object-src of the Content Security Policy Level 3 spec., <http://w3c.github.io/webappsec-csp> (EditorĂ¢s Draft, 29 February 2016),
> 
> Looks like a smart apostrophe got added here (Editor's Draft)

Will fix before landing.
Comment 10 Daniel Bates 2016-03-31 18:54:52 PDT 
Committed r198936: <http://trac.webkit.org/changeset/198936>
Comment 11 Daniel Bates 2016-04-01 11:12:49 PDT 
(In reply to comment #0)
> But it does not following <http://trac.webkit.org/changeset/197724> (bug #154122).

I meant to write:

But it does not following <http://trac.webkit.org/changeset/196012> (bug #153748).