Bug 156935

Summary: REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, bfulgham, bugzilla, commit-queue, darin, mkwst, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar, Regression
Version: WebKit Local Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=157472
Bug Depends on: 153748    
Bug Blocks:    
Attachments:
Description Flags
Patch and Layout Tests darin: review+

Description Daniel Bates 2016-04-22 16:09:39 PDT
Using WebKit r196012 or later, perform the following:

1. Visit <http://www.blogger.com> and sign in.
2. Create a new blog if you do not already have one.
3. Create a new block post by clicking the button with the pen icon

Blogger.com will navigate to the editor dashboard page and this page is almost entirely blank when it would otherwise display a document editor to create a new blog post. In the console you will see messages of the form:

[Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=1 because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=2 because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=3 because it does not appear in the script-src directive of the Content Security Policy.
Comment 1 Daniel Bates 2016-04-22 16:10:03 PDT
<rdar://problem/25351286>
Comment 2 Daniel Bates 2016-04-22 16:36:29 PDT
Created attachment 277113 [details]
Patch and Layout Tests

Even though it is not strictly necessary to call ContentSecurityPolicy::updateSourceSelf() from ContentSecurityPolicy(ScriptExecutionContext&) because we will call this function when we apply the policy to the script execution context in ContentSecurityPolicy::applyPolicyToScriptExecutionContext() I thought to do so to keep symmetry with the ContentSecurityPolicy(const SecurityOrigin&, const Frame*) constructor and this code is unlikely to be sufficiently hot in a profile. Let me know if it is preferred to omit the call to ContentSecurityPolicy::updateSourceSelf() from ContentSecurityPolicy(ScriptExecutionContext&).
Comment 3 Daniel Bates 2016-04-25 09:27:11 PDT
Committed r200030: <http://trac.webkit.org/changeset/200030>
Comment 4 Daniel Bates 2016-06-01 23:52:52 PDT
*** Bug 157472 has been marked as a duplicate of this bug. ***