Summary: | CSP: Should only honor CSP policy delivered in meta tag that is a descendent of <head> | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Adam Barth <abarth> | ||||
Component: | DOM | Assignee: | Daniel Bates <dbates> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | bfulgham, cdumez, commit-queue, dbates, esprehn+autocc, felipe, gyuyoung.kim, kangil.han, mkwst, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Attachments: |
|
Description
Adam Barth
2011-04-29 18:42:28 PDT
The <meta> tag got punted to CSP 1.1 in the working group. As of <https://w3c.github.io/webappsec-csp/2/#delivery-html-meta-element (Editor’s Draft, 29 August 2015), we should only honor the CSP meta tag if it is a descendent of <head>. Created attachment 275893 [details]
Patch and Layout Tests
Comment on attachment 275893 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=275893&action=review r=me > Source/WebCore/dom/Document.h:829 > + // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called As long as your revising this, you might as well say "an HTTP header". > Source/WebCore/dom/Document.h:832 > + // specified in a HTML file. "an HTML file." > LayoutTests/ChangeLog:10 > + X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>. I assume that there are already tests that CSP features in <head> descendants work? (In reply to comment #5) > > Source/WebCore/dom/Document.h:829 > > + // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called > > As long as your revising this, you might as well say "an HTTP header". > Will fix before landing. > > Source/WebCore/dom/Document.h:832 > > + // specified in a HTML file. > > "an HTML file." > Will fix before landing. > > LayoutTests/ChangeLog:10 > > + X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>. > > I assume that there are already tests that CSP features in <head> > descendants work? Yes, we have many such tests. One example of a such a test is <http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked.html?rev=133095>. Committed r199163: <http://trac.webkit.org/changeset/199163> |