Bug 88883
| Summary: | "view-source" URI scheme & Content Security Policy (CSP) | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ashar Javed <justashar> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED REMIND | ||
| Severity: | Normal | CC: | abarth, dveditz, justashar, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Ashar Javed
"view-source" shows the source code of the page i.e., view-source:http://www.mobilefuxx.de. "view-source" URI scheme was unable to load the source code of the page if Content Security Policy (CSP) is in place.
I have a CSP test-bed at http://www.mobilefuxx.de/csp/xsstest/test.php , On http://www.mobilefuxx.de/csp/xsstest/test.php, I have a CSP policy 'self' for every type of resource. If I use:
<iframe src="http://www.mobilefuxx.de/"></iframe>
It works fine because the URI corresponds to 'self'. But if I use "view-source":
<iframe src="view-source:http://www.mobilefuxx.de/"></iframe>
It does not work & I got false positive errors/warnings. I think it should display the source code because I am asking for source code of URI that corresponds to 'self'. Would you please look into the issue? Thanks!
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Barth
Are you sure this has to do with CSP? The view-source doesn't seem to work even with sites that don't use CSP:
data:text/html,<iframe src="view-source:http://www.example.com/"></iframe>
By contrast, the viewsource attribute does appear to work with your site.
data:text/html,<iframe viewsource src="http://www.mobilefuxx.de/csp/xsstest/test.php"></iframe>
Adam Barth
Oh, you meant typing in the box. If you type the following in the box:
<iframe viewsource src="http://www.mobilefuxx.de/"></iframe>
It works fine... Maybe I'm still not quite understanding the issue.
Ashar Javed
(In reply to comment #2)
> Oh, you meant typing in the box. If you type the following in the box:
>
> <iframe viewsource src="http://www.mobilefuxx.de/"></iframe>
>
> It works fine... Maybe I'm still not quite understanding the issue.
Thanks Adam. It works fine by adding the word "src". Again Thanks!
Ashar Javed
Adam, there is some discussion related to the same issue (I have found on Firefox) on Mozilla Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=762795).
Would you please un-hide the bug or cc "Daniel Veditz"? Would you please check the discussion? Thanks!
Adam Barth
Done.
Radar WebKit Bug Importer
<rdar://problem/11679312>