| Summary: | CSP: Properly block image content in object elements | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Patrick Griffis <pgriffis> | ||||||||
| Component: | WebCore Misc. | Assignee: | Patrick Griffis <pgriffis> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | bfulgham, cdumez, ews-watchlist, japhet, katherine_cheney, mikispag, mkwst, webkit-bug-importer | ||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||
| Version: | WebKit Nightly Build | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Patrick Griffis
2022-01-28 15:00:09 PST
Created attachment 450280 [details]
Patch
Comment on attachment 450280 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450280&action=review > Source/WebCore/loader/ResourceLoaderOptions.h:150 > +enum class LoadedFromPluginElement : uint8_t { Usually we write enums for booleans like this: enum class LoadedFromPluginElement : bool { No, Yes }; with a "bool" specifier and the 'No' value first. I am not sure why other enums in this class do not follow that pattern, but I think we should stick with it. > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:581 > + String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load"); We should log the target URL in the console here I think. It is helpful to debug and I believe it also matches other browser behavior in general to log the target URL in the console. Created attachment 450327 [details]
Patch for landing
ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Created attachment 450328 [details]
Patch for landing
Committed r288792 (246569@main): <https://commits.webkit.org/246569@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450328 [details]. *** Bug 181846 has been marked as a duplicate of this bug. *** This fix shipped with Safari 15.5 (all platforms). |