Bug 156935

Summary: REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, bfulgham, bugzilla, commit-queue, darin, mkwst, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar, Regression
Version: WebKit Local Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=157472
Bug Depends on: 153748    
Bug Blocks:    
Attachments:
Description Flags
Patch and Layout Tests darin: review+

Daniel Bates
Reported 2016-04-22 16:09:39 PDT
Using WebKit r196012 or later, perform the following: 1. Visit <http://www.blogger.com> and sign in. 2. Create a new blog if you do not already have one. 3. Create a new block post by clicking the button with the pen icon Blogger.com will navigate to the editor dashboard page and this page is almost entirely blank when it would otherwise display a document editor to create a new blog post. In the console you will see messages of the form: [Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js because it does not appear in the script-src directive of the Content Security Policy. [Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=1 because it does not appear in the script-src directive of the Content Security Policy. [Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=2 because it does not appear in the script-src directive of the Content Security Policy. [Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=3 because it does not appear in the script-src directive of the Content Security Policy.
Attachments
Patch and Layout Tests (13.15 KB, patch)
2016-04-22 16:36 PDT, Daniel Bates 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-04-22 16:10:03 PDT
<rdar://problem/25351286>
Daniel Bates
Comment 2 2016-04-22 16:36:29 PDT
Created attachment 277113 [details] Patch and Layout Tests Even though it is not strictly necessary to call ContentSecurityPolicy::updateSourceSelf() from ContentSecurityPolicy(ScriptExecutionContext&) because we will call this function when we apply the policy to the script execution context in ContentSecurityPolicy::applyPolicyToScriptExecutionContext() I thought to do so to keep symmetry with the ContentSecurityPolicy(const SecurityOrigin&, const Frame*) constructor and this code is unlikely to be sufficiently hot in a profile. Let me know if it is preferred to omit the call to ContentSecurityPolicy::updateSourceSelf() from ContentSecurityPolicy(ScriptExecutionContext&).
Daniel Bates
Comment 3 2016-04-25 09:27:11 PDT
Committed r200030: <http://trac.webkit.org/changeset/200030>
Daniel Bates
Comment 4 2016-06-01 23:52:52 PDT
*** Bug 157472 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.