Bug 308752

Created attachment 478498 [details] Test for reproduction Version: WebKitGTK MiniBrowser 2.50.4, 2.47.0 OS: Ubuntu 22.04.3 LTS Description: When `Content-Security-Policy: frame-src ‘self’` is set, an <iframe> whose `src` attribute is a blob: URL is allowed to load. The attached test sets the response header `Content-Security-Policy: frame-src 'self' ` and dynamically creates an <iframe> whose `src` attribute is set to a blob: URL. The embedded document prints the word “run” to the console when it is loaded. Steps to Reproduce: 1) Serve the attached files from an HTTP web server with PHP enabled. 2) Visit self-enables-blob-frame-src.php. 3) Open the browser console and observe whether “run” is printed. Observed Behavior: The <iframe> is loaded and the console prints “run”. Expected Behavior: For <iframe> documents loaded from blob: URLs to be allowed, the blob: scheme should be explicitly listed in the `frame-src` directive. Comparison with other Major Browsers: Chrome, Opera, Brave, Edge, Firefox and Tor block the <iframe> and do not print “run”. Important Notes: - This behavior is observed only for the `frame-src` directive. - This behavior is not observed in the `frame-src` directive’s fallbacks (`child-src` and `default-src`) and `object-src`.