Bug 165531

Summary: [CSP] Policy of window opener not applied to about:blank window
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bfulgham, cdumez, commit-queue, esprehn+autocc, japhet, kangil.han, mkwst, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 172038    
Attachments:
Description Flags
Patch and layout test none

Daniel Bates
Reported 2016-12-07 10:24:52 PST
about:blank windows should inherit the content security policy of their opener document.
Attachments
Patch and layout test (11.80 KB, patch)
2016-12-07 10:35 PST, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-12-07 10:25:29 PST
<rdar://problem/29426639>
Daniel Bates
Comment 2 2016-12-07 10:35:33 PST
Created attachment 296398 [details] Patch and layout test I chose to remove the upgrade-insecure-requests comment from Document::initContentSecurityPolicy() because I did not see the value in it and its second to last sentence was inaccurate with respect to this function. Let me know if there is value in adding a comment to Document::initContentSecurityPolicy() about how we handle upgrade insecure requests. We should look to centralize the upgrade-insecure-requests inheritance logic for child frames and child windows. Currently this logic is dispersed across Document::initSecurityContext(), Document::initContentSecurityPolicy(), and DocumentWriter::begin(). I suggest we do this in a separate bug.
Brent Fulgham
Comment 3 2016-12-09 09:24:02 PST
Comment on attachment 296398 [details] Patch and layout test Looks good. r=me.
Daniel Bates
Comment 4 2016-12-09 09:27:56 PST
Comment on attachment 296398 [details] Patch and layout test Clearing flags on attachment: 296398 Committed r209608: <http://trac.webkit.org/changeset/209608>
Daniel Bates
Comment 5 2016-12-09 09:28:01 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.