Bug 59858

Summary:

CSP: Should only honor CSP policy delivered in meta tag that is a descendent of <head>

Product:

WebKit

Reporter:

Adam Barth <abarth>

Component:

DOM

Assignee:

Daniel Bates <dbates>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, cdumez, commit-queue, dbates, esprehn+autocc, felipe, gyuyoung.kim, kangil.han, mkwst, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch and Layout Tests	bfulgham: review+

Description Adam Barth 2011-04-29 18:42:28 PDT

We need to clarify the spec in this regard and then implement what the spec says.

Comment 1 Adam Barth 2012-05-03 17:34:51 PDT

The <meta> tag got punted to CSP 1.1 in the working group.

Comment 2 Daniel Bates 2016-03-23 11:03:42 PDT

As of <https://w3c.github.io/webappsec-csp/2/#delivery-html-meta-element (Editor’s Draft, 29 August 2015), we should only honor the CSP meta tag if it is a descendent of <head>.

Comment 3 Radar WebKit Bug Importer 2016-04-07 09:48:39 PDT

<rdar://problem/25603538>

Comment 4 Daniel Bates 2016-04-07 10:11:48 PDT

Created attachment 275893 [details]
Patch and Layout Tests

Comment 5 Brent Fulgham 2016-04-07 10:53:17 PDT

Comment on attachment 275893 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=275893&action=review

r=me

> Source/WebCore/dom/Document.h:829
> +    // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called

As long as your revising this, you might as well say "an HTTP header".

> Source/WebCore/dom/Document.h:832
> +    // specified in a HTML file.

"an HTML file."

> LayoutTests/ChangeLog:10
> +        X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>.

I assume that there are already tests that CSP features in <head> descendants work?

Comment 6 Daniel Bates 2016-04-07 10:59:20 PDT

(In reply to comment #5)
> > Source/WebCore/dom/Document.h:829
> > +    // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called
> 
> As long as your revising this, you might as well say "an HTTP header".
> 

Will fix before landing.

> > Source/WebCore/dom/Document.h:832
> > +    // specified in a HTML file.
> 
> "an HTML file."
> 

Will fix before landing.

> > LayoutTests/ChangeLog:10
> > +        X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>.
> 
> I assume that there are already tests that CSP features in <head>
> descendants work?

Yes, we have many such tests. One example of a such a test is <http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked.html?rev=133095>.

Comment 7 Daniel Bates 2016-04-07 11:03:08 PDT

Committed r199163: <http://trac.webkit.org/changeset/199163>