Bug 97030

Summary: CSP 'object-src' directive should correctly handle redirects.
Product: WebKit Reporter: Mike West <mkwst>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abarth, bauerb, bfulgham, buildbot, dbates, felipe, jochen, rniwa, webkit
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
buildbot: commit-queue-
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion
none
Archive of layout-test-results from webkit-ews-01 for mac-mountainlion
none
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2
none
Archive of layout-test-results from ews101 for mac-yosemite
none
Archive of layout-test-results from ews107 for mac-yosemite-wk2
none
Archive of layout-test-results from ews112 for mac-yosemite none

Description Mike West 2012-09-18 11:18:06 PDT
CSP 'object-src' directive should correctly handle redirects.
Comment 1 Mike West 2012-09-18 11:19:02 PDT
Created attachment 164588 [details]
Patch
Comment 2 Mike West 2012-09-18 11:27:38 PDT
I dislike plugins.

It looks like we're mishandling plugins loaded via redirect. I'm pretty sure that the attached test should block the plugin's final URL, but it doesn't. I've dug through a bit of plugin-loading loading code, but it quickly falls into platform specific messiness.

So, I'll hopefully ask you folks: is there a point inside WebKit where we can make the CSP check? If not, can you help me track down where the plugin actually gets loaded so that I can add the proper hooks (or come up with some crazy delegate structure)?

Thanks!
Comment 3 Adam Barth 2012-09-19 11:10:43 PDT
This bug is going to be hard to fix.  Plugin loading works in a very port-specific manner.  I'd be inclined not to worry about this bug for a while.
Comment 4 Mike West 2012-09-20 01:55:41 PDT
(In reply to comment #3)
> This bug is going to be hard to fix.  Plugin loading works in a very port-specific manner.  I'd be inclined not to worry about this bug for a while.

I'd be less concerned about it if we were talking about fonts or something otherwise mostly benign. I don't really like having a bug in object whitelisting. *shrug* That said, I agree that it's going to be a pain to fix. :)
Comment 5 Mike West 2013-02-07 11:00:45 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Comment 6 Build Bot 2014-06-12 22:12:08 PDT
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5481509171494912

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 7 Build Bot 2014-06-12 22:12:13 PDT
Created attachment 233027 [details]
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-07  Port: mac-mountainlion  Platform: Mac OS X 10.8.5
Comment 8 Build Bot 2014-06-12 23:11:11 PDT
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5855960526487552

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 9 Build Bot 2014-06-12 23:11:15 PDT
Created attachment 233029 [details]
Archive of layout-test-results from webkit-ews-01 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-01  Port: mac-mountainlion  Platform: Mac OS X 10.8.5
Comment 10 Build Bot 2014-06-13 15:17:59 PDT
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/5915923638648832

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 11 Build Bot 2014-06-13 15:18:03 PDT
Created attachment 233082 [details]
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-14  Port: mac-mountainlion-wk2  Platform: Mac OS X 10.8.5
Comment 12 Build Bot 2015-11-21 22:12:35 PST
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/461891

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 13 Build Bot 2015-11-21 22:12:38 PST
Created attachment 266043 [details]
Archive of layout-test-results from ews101 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 14 Build Bot 2015-11-21 22:16:09 PST
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/461900

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 15 Build Bot 2015-11-21 22:16:13 PST
Created attachment 266044 [details]
Archive of layout-test-results from ews107 for mac-yosemite-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-yosemite-wk2  Platform: Mac OS X 10.10.5
Comment 16 Build Bot 2015-11-21 22:20:07 PST
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/461888

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 17 Build Bot 2015-11-21 22:20:10 PST
Created attachment 266045 [details]
Archive of layout-test-results from ews112 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 18 Chris Rebert 2016-04-12 12:01:04 PDT
Relevant: http://githubengineering.com/githubs-csp-journey/#object-src
Comment 19 Daniel Bates 2016-04-14 17:39:19 PDT
Will fix this issue as part of the fix for bug #153154.

*** This bug has been marked as a duplicate of bug 153154 ***