Summary: | CSP 'object-src' directive should correctly handle redirects. | ||
---|---|---|---|
Product: | WebKit | Reporter: | Mike West <mkwst> |
Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Normal | CC: | abarth, bauerb, bfulgham, buildbot, dbates, felipe, jochen, rniwa, webkit |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Attachments: |
Description
Mike West
2012-09-18 11:18:06 PDT
Created attachment 164588 [details]
Patch
I dislike plugins. It looks like we're mishandling plugins loaded via redirect. I'm pretty sure that the attached test should block the plugin's final URL, but it doesn't. I've dug through a bit of plugin-loading loading code, but it quickly falls into platform specific messiness. So, I'll hopefully ask you folks: is there a point inside WebKit where we can make the CSP check? If not, can you help me track down where the plugin actually gets loaded so that I can add the proper hooks (or come up with some crazy delegate structure)? Thanks! This bug is going to be hard to fix. Plugin loading works in a very port-specific manner. I'd be inclined not to worry about this bug for a while. (In reply to comment #3) > This bug is going to be hard to fix. Plugin loading works in a very port-specific manner. I'd be inclined not to worry about this bug for a while. I'd be less concerned about it if we were talking about fonts or something otherwise mostly benign. I don't really like having a bug in object whitelisting. *shrug* That said, I agree that it's going to be a pain to fix. :) Unassigning myself; let's be realistic about what I'm actually working on. :/ Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/5481509171494912 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html Created attachment 233027 [details]
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-07 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/5855960526487552 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html Created attachment 233029 [details]
Archive of layout-test-results from webkit-ews-01 for mac-mountainlion
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-01 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/5915923638648832 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html Created attachment 233082 [details]
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-14 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/461891 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html Created attachment 266043 [details]
Archive of layout-test-results from ews101 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/461900 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html Created attachment 266044 [details]
Archive of layout-test-results from ews107 for mac-yosemite-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/461888 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html Created attachment 266045 [details]
Archive of layout-test-results from ews112 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112 Port: mac-yosemite Platform: Mac OS X 10.10.5
Will fix this issue as part of the fix for bug #153154. *** This bug has been marked as a duplicate of bug 153154 *** |