Bug 106084 - CSP: 'frame-src' should block redirects to invalid sources.
Summary: CSP: 'frame-src' should block redirects to invalid sources.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mike West
URL:
Keywords:
Depends on:
Blocks: 103582
  Show dependency treegraph
 
Reported: 2013-01-04 04:35 PST by Mike West
Modified: 2013-01-04 11:14 PST (History)
4 users (show)

See Also:


Attachments
Patch (6.00 KB, patch)
2013-01-04 04:38 PST, Mike West
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2013-01-04 04:35:18 PST
WebKit currently fails test 95 and 101 on http://csptesting.herokuapp.com/.

These test variations on whitelisting a source via a 'frame-src' directive, and then loading a whitelisted frame from that source which redirects to a non-whitelisted source. This redirection should be blocked, but currently isn't.
Comment 1 Mike West 2013-01-04 04:38:22 PST
Created attachment 181289 [details]
Patch
Comment 2 Mike West 2013-01-04 04:40:03 PST
Hi Adam! This patch moves the CSP check for 'frame-src' out of SubframeLoader and into PolicyChecker, which allows us to validate the whole redirect chain, and also seems like a better location semantically. FrameLoader is pretty complex, however, so I'm not actually sure I'm doing the right thing here.

Would you mind taking a look?

Thanks!
Comment 3 Adam Barth 2013-01-04 09:57:50 PST
Comment on attachment 181289 [details]
Patch

Yeah, putting this in policy checker is much better.
Comment 4 Mike West 2013-01-04 10:51:41 PST
Comment on attachment 181289 [details]
Patch

Glad I interpreted things correctly. Thanks for the review!
Comment 5 WebKit Review Bot 2013-01-04 11:14:42 PST
Comment on attachment 181289 [details]
Patch

Clearing flags on attachment: 181289

Committed r138818: <http://trac.webkit.org/changeset/138818>
Comment 6 WebKit Review Bot 2013-01-04 11:14:45 PST
All reviewed patches have been landed.  Closing bug.