RESOLVED FIXED 153150
CSP: Fire 'load' events even when blocking loads via 'frame-src'. 
https://bugs.webkit.org/show_bug.cgi?id=153150
Summary CSP: Fire 'load' events even when blocking loads via 'frame-src'.
Daniel Bates
Reported 2016-01-15 14:55:04 PST
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=165743>. CSP: Fire 'load' events even when blocking loads via 'frame-src'. If we fire a 'load' event, the frame looks just like any other cross-origin load that succeeded. If we don't fire a 'load' event, timing attacks can gain knowledge about the URL in the frame by blocking the URL in a page's CSP, and waiting long enough to be sure that a 'load' event _would_ have fired if the load wasn't blocked.
Attachments
Patch (5.03 KB, patch)
2016-05-27 13:26 PDT, Brent Fulgham 		dbates: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-01-27 20:31:50 PST
<rdar://problem/24383162>
Brent Fulgham
Comment 2 2016-05-27 13:26:13 PDT
Created attachment 279986 [details] Patch
Daniel Bates
Comment 3 2016-05-27 13:35:13 PDT
Comment on attachment 279986 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=279986&action=review > LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt:17 > PASS successfullyParsed is true > > TEST COMPLETE > +PASS successfullyParsed is true > + > +TEST COMPLETE This output does not look correctly.
Brent Fulgham
Comment 4 2016-05-27 13:48:52 PDT
Committed r201468: <http://trac.webkit.org/changeset/201468>
Brent Fulgham
Comment 5 2016-05-27 16:34:30 PDT
Landed a fix for test flakiness in r201472 <http://trac.webkit.org/changeset/201472>.
Note You need to log in before you can comment on or make changes to this bug.