Bug 224535

Summary: Blob URLs should use their owner origin for CSP navigation/download checks
Product: WebKit Reporter: youenn fablet <youennf>
Component: Page LoadingAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, ews-watchlist, japhet, mkwst, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch for landing none

Description youenn fablet 2021-04-14 02:49:13 PDT 
Blob URLs should use for their owner origin for CSP checks
Comment 1 youenn fablet 2021-04-14 02:50:05 PDT 
<rdar://76458106>
Comment 2 youenn fablet 2021-04-14 03:53:43 PDT 
Created attachment 425967 [details]
Patch
Comment 3 youenn fablet 2021-04-14 10:39:46 PDT 
Created attachment 426006 [details]
Patch
Comment 4 youenn fablet 2021-04-15 01:55:55 PDT 
Created attachment 426084 [details]
Patch
Comment 5 youenn fablet 2021-04-15 05:50:55 PDT 
Comment on attachment 426084 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review

> Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:135
> +    if (m_allowSelf && m_policy.urlMatchesSelf(url, equalIgnoringASCIICase(m_directiveName, ContentSecurityPolicyDirectiveNames::frameSrc)

Maybe we should store whether this is a frame src directive as a boolean.
Comment 6 Alex Christensen 2021-04-15 10:27:09 PDT 
Comment on attachment 426084 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review

> Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:136
> +))

These should be on the previous line.

> LayoutTests/platform/mac-wk1/TestExpectations:140
> +http/tests/security/frame-src-and-blob-download.https.html [ Skip ]

Why not run this test in WK1?
Comment 7 youenn fablet 2021-04-15 10:28:52 PDT 
> > LayoutTests/platform/mac-wk1/TestExpectations:140
> > +http/tests/security/frame-src-and-blob-download.https.html [ Skip ]
> 
> Why not run this test in WK1?

test runner API is not implemented in WK1.
A lot of the download tests are skipped in WK1 so I am unsure what download support there actually is in WK1.
Comment 8 Alex Christensen 2021-04-15 10:35:21 PDT 
Comment on attachment 426084 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review

> Source/WebCore/page/SecurityOrigin.cpp:270
> +            return true;

This could be replaced by ||
Comment 9 youenn fablet 2021-04-16 09:03:25 PDT 
Created attachment 426232 [details]
Patch for landing
Comment 10 EWS 2021-04-18 08:43:44 PDT 
commit-queue failed to commit attachment 426232 [details] to WebKit repository. To retry, please set cq+ flag again.
Comment 11 EWS 2021-04-18 09:42:12 PDT 
Committed r276230 (236712@main): <https://commits.webkit.org/236712@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 426232 [details].