Bug 116067 - CSP: Redirects in DocumentThreadableLoader should respect the active policy
Summary: CSP: Redirects in DocumentThreadableLoader should respect the active policy
Status: RESOLVED DUPLICATE of bug 69359
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: BlinkMergeCandidate
Depends on:
Blocks:
 
Reported: 2013-05-13 16:03 PDT by Ryosuke Niwa
Modified: 2016-01-15 14:38 PST (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2013-05-13 16:03:47 PDT
We should probably merge
https://chromium.googlesource.com/chromium/blink/+/2853f594838e8bf24813482ad02f87853cae4366

CSP: Redirects in DocumentThreadableLoader should respect the active policy.

Canary currently fails test 150[1] and 156[2] of Erlend Oftedal's "CSP Testing"
checks[3]. Both fail because we currently only check the URL to which an XHR
connects during 'xhr.open()'. This patch adjusts the checks happening inside
DocumentThreadableLoader::redirectReceived in order to verify that the URL to
which we've been redirected passes through the page's Content Security Policy
as well.

[1]: http://csptesting.herokuapp.com/test/load/150
[2]: http://csptesting.herokuapp.com/test/load/156
[3]: http://csptesting.herokuapp.com/
Comment 1 Daniel Bates 2016-01-15 14:38:56 PST

*** This bug has been marked as a duplicate of bug 69359 ***