Bug 224535

Summary: Blob URLs should use their owner origin for CSP navigation/download checks
Product: WebKit Reporter: youenn fablet <youennf>
Component: Page LoadingAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, ews-watchlist, japhet, mkwst, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch for landing none

youenn fablet
Reported 2021-04-14 02:49:13 PDT
Blob URLs should use for their owner origin for CSP checks
Attachments
Patch (12.31 KB, patch)
2021-04-14 03:53 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (14.36 KB, patch)
2021-04-14 10:39 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (16.06 KB, patch)
2021-04-15 01:55 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch for landing (13.23 KB, patch)
2021-04-16 09:03 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2021-04-14 02:50:05 PDT
<rdar://76458106>
youenn fablet
Comment 2 2021-04-14 03:53:43 PDT
Created attachment 425967 [details] Patch
youenn fablet
Comment 3 2021-04-14 10:39:46 PDT
Created attachment 426006 [details] Patch
youenn fablet
Comment 4 2021-04-15 01:55:55 PDT
Created attachment 426084 [details] Patch
youenn fablet
Comment 5 2021-04-15 05:50:55 PDT
Comment on attachment 426084 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review > Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:135 > + if (m_allowSelf && m_policy.urlMatchesSelf(url, equalIgnoringASCIICase(m_directiveName, ContentSecurityPolicyDirectiveNames::frameSrc) Maybe we should store whether this is a frame src directive as a boolean.
Alex Christensen
Comment 6 2021-04-15 10:27:09 PDT
Comment on attachment 426084 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review > Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:136 > +)) These should be on the previous line. > LayoutTests/platform/mac-wk1/TestExpectations:140 > +http/tests/security/frame-src-and-blob-download.https.html [ Skip ] Why not run this test in WK1?
youenn fablet
Comment 7 2021-04-15 10:28:52 PDT
> > LayoutTests/platform/mac-wk1/TestExpectations:140 > > +http/tests/security/frame-src-and-blob-download.https.html [ Skip ] > > Why not run this test in WK1? test runner API is not implemented in WK1. A lot of the download tests are skipped in WK1 so I am unsure what download support there actually is in WK1.
Alex Christensen
Comment 8 2021-04-15 10:35:21 PDT
Comment on attachment 426084 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review > Source/WebCore/page/SecurityOrigin.cpp:270 > + return true; This could be replaced by ||
youenn fablet
Comment 9 2021-04-16 09:03:25 PDT
Created attachment 426232 [details] Patch for landing
EWS
Comment 10 2021-04-18 08:43:44 PDT
commit-queue failed to commit attachment 426232 [details] to WebKit repository. To retry, please set cq+ flag again.
EWS
Comment 11 2021-04-18 09:42:12 PDT
Committed r276230 (236712@main): <https://commits.webkit.org/236712@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426232 [details].
Note You need to log in before you can comment on or make changes to this bug.