Bug 59858

Summary: CSP: Should only honor CSP policy delivered in meta tag that is a descendent of <head>
Product: WebKit Reporter: Adam Barth <abarth>
Component: DOMAssignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, commit-queue, dbates, esprehn+autocc, felipe, gyuyoung.kim, kangil.han, mkwst, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch and Layout Tests bfulgham: review+

Adam Barth
Reported 2011-04-29 18:42:28 PDT
We need to clarify the spec in this regard and then implement what the spec says.
Attachments
Patch and Layout Tests (15.23 KB, patch)
2016-04-07 10:11 PDT, Daniel Bates 		bfulgham: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2012-05-03 17:34:51 PDT
The <meta> tag got punted to CSP 1.1 in the working group.
Daniel Bates
Comment 2 2016-03-23 11:03:42 PDT
As of <https://w3c.github.io/webappsec-csp/2/#delivery-html-meta-element (Editor’s Draft, 29 August 2015), we should only honor the CSP meta tag if it is a descendent of <head>.
Radar WebKit Bug Importer
Comment 3 2016-04-07 09:48:39 PDT
<rdar://problem/25603538>
Daniel Bates
Comment 4 2016-04-07 10:11:48 PDT
Created attachment 275893 [details] Patch and Layout Tests
Brent Fulgham
Comment 5 2016-04-07 10:53:17 PDT
Comment on attachment 275893 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=275893&action=review r=me > Source/WebCore/dom/Document.h:829 > + // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called As long as your revising this, you might as well say "an HTTP header". > Source/WebCore/dom/Document.h:832 > + // specified in a HTML file. "an HTML file." > LayoutTests/ChangeLog:10 > + X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>. I assume that there are already tests that CSP features in <head> descendants work?
Daniel Bates
Comment 6 2016-04-07 10:59:20 PDT
(In reply to comment #5) > > Source/WebCore/dom/Document.h:829 > > + // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called > > As long as your revising this, you might as well say "an HTTP header". > Will fix before landing. > > Source/WebCore/dom/Document.h:832 > > + // specified in a HTML file. > > "an HTML file." > Will fix before landing. > > LayoutTests/ChangeLog:10 > > + X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>. > > I assume that there are already tests that CSP features in <head> > descendants work? Yes, we have many such tests. One example of a such a test is <http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked.html?rev=133095>.
Daniel Bates
Comment 7 2016-04-07 11:03:08 PDT
Committed r199163: <http://trac.webkit.org/changeset/199163>
Note You need to log in before you can comment on or make changes to this bug.