Bug 97030

Summary: CSP 'object-src' directive should correctly handle redirects.
Product: WebKit Reporter: Mike West <mkwst>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abarth, bauerb, bfulgham, buildbot, dbates, felipe, jochen, rniwa, webkit
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
buildbot: commit-queue-
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion
none
Archive of layout-test-results from webkit-ews-01 for mac-mountainlion
none
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2
none
Archive of layout-test-results from ews101 for mac-yosemite
none
Archive of layout-test-results from ews107 for mac-yosemite-wk2
none
Archive of layout-test-results from ews112 for mac-yosemite none

Mike West
Reported 2012-09-18 11:18:06 PDT
CSP 'object-src' directive should correctly handle redirects.
Attachments
Patch (2.41 KB, patch)
2012-09-18 11:19 PDT, Mike West 		buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion (505.21 KB, application/zip)
2014-06-12 22:12 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from webkit-ews-01 for mac-mountainlion (505.25 KB, application/zip)
2014-06-12 23:11 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2 (526.75 KB, application/zip)
2014-06-13 15:18 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews101 for mac-yosemite (873.40 KB, application/zip)
2015-11-21 22:12 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews107 for mac-yosemite-wk2 (767.93 KB, application/zip)
2015-11-21 22:16 PST, Build Bot 		no flags
Details
Archive of layout-test-results from ews112 for mac-yosemite (772.45 KB, application/zip)
2015-11-21 22:20 PST, Build Bot 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2012-09-18 11:19:02 PDT
Created attachment 164588 [details] Patch
Mike West
Comment 2 2012-09-18 11:27:38 PDT
I dislike plugins. It looks like we're mishandling plugins loaded via redirect. I'm pretty sure that the attached test should block the plugin's final URL, but it doesn't. I've dug through a bit of plugin-loading loading code, but it quickly falls into platform specific messiness. So, I'll hopefully ask you folks: is there a point inside WebKit where we can make the CSP check? If not, can you help me track down where the plugin actually gets loaded so that I can add the proper hooks (or come up with some crazy delegate structure)? Thanks!
Adam Barth
Comment 3 2012-09-19 11:10:43 PDT
This bug is going to be hard to fix. Plugin loading works in a very port-specific manner. I'd be inclined not to worry about this bug for a while.
Mike West
Comment 4 2012-09-20 01:55:41 PDT
(In reply to comment #3) > This bug is going to be hard to fix. Plugin loading works in a very port-specific manner. I'd be inclined not to worry about this bug for a while. I'd be less concerned about it if we were talking about fonts or something otherwise mostly benign. I don't really like having a bug in object whitelisting. *shrug* That said, I agree that it's going to be a pain to fix. :)
Mike West
Comment 5 2013-02-07 11:00:45 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Build Bot
Comment 6 2014-06-12 22:12:08 PDT
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/5481509171494912 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Build Bot
Comment 7 2014-06-12 22:12:13 PDT
Created attachment 233027 [details] Archive of layout-test-results from webkit-ews-07 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-07 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Build Bot
Comment 8 2014-06-12 23:11:11 PDT
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/5855960526487552 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Build Bot
Comment 9 2014-06-12 23:11:15 PDT
Created attachment 233029 [details] Archive of layout-test-results from webkit-ews-01 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-01 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Build Bot
Comment 10 2014-06-13 15:17:59 PDT
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/5915923638648832 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Build Bot
Comment 11 2014-06-13 15:18:03 PDT
Created attachment 233082 [details] Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-14 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.5
Build Bot
Comment 12 2015-11-21 22:12:35 PST
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/461891 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Build Bot
Comment 13 2015-11-21 22:12:38 PST
Created attachment 266043 [details] Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 14 2015-11-21 22:16:09 PST
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/461900 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Build Bot
Comment 15 2015-11-21 22:16:13 PST
Created attachment 266044 [details] Archive of layout-test-results from ews107 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Build Bot
Comment 16 2015-11-21 22:20:07 PST
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/461888 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Build Bot
Comment 17 2015-11-21 22:20:10 PST
Created attachment 266045 [details] Archive of layout-test-results from ews112 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-yosemite Platform: Mac OS X 10.10.5
Chris Rebert
Comment 18 2016-04-12 12:01:04 PDT
Relevant: http://githubengineering.com/githubs-csp-journey/#object-src
Daniel Bates
Comment 19 2016-04-14 17:39:19 PDT
Will fix this issue as part of the fix for bug #153154. *** This bug has been marked as a duplicate of bug 153154 ***
Note You need to log in before you can comment on or make changes to this bug.