RESOLVED WORKSFORME153160
CSP: Don't inherit parent's CSP in PluginDocuments 
https://bugs.webkit.org/show_bug.cgi?id=153160
Summary CSP: Don't inherit parent's CSP in PluginDocuments
Daniel Bates
Reported 2016-01-15 15:12:39 PST
We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=191037>. Don't inherit parent's CSP in PluginDocuments Inheriting the CSP in a PluginDocument causes <iframe src="foo.pdf"> to be blocked if the parent's CSP forbids <embed src="foo.pdf">, as the iframe turns into a PluginDocument with an <embed> tag inside it. The only exception is that the plugin-types directive is still inherited from a parent document to a child PluginDocument, which preserves the current behavior and is required by the CSP spec.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-01-27 20:49:05 PST
<rdar://problem/24383285>
Ryan Reno
Comment 2 2022-10-20 09:35:35 PDT
I can't reproduce the bug this Blink revision fixed. index.html: ----------- <!DOCTYPE html> <iframe src="plugin-test.html"></iframe> plugin-test.html: ---------------- <!DOCTYPE html> <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> <iframe src="foo.pdf"></iframe> The above example displays the PDF as expected. Another attempt I made was to simulate what the tests in that revision simulated with a python server which responds to any GET request with Content-Type: application/x-webkit-netscape-test Content-Security-Policy: object-src 'none' <h2>test</h2> This causes WebKit to initiate a download of a plain text file containing the text "test" At no point does CSP block anything.
Ryan Reno
Comment 3 2022-10-20 09:39:50 PDT
Additionally, this example also displays the PDF as expected. <!DOCTYPE html> <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> <iframe src="foo.pdf"></iframe>
Ryan Reno
Comment 4 2022-10-20 09:40:53 PDT
(In reply to Ryan Reno from comment #3) > Additionally, this example also displays the PDF as expected. > > <!DOCTYPE html> > <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> > <iframe src="foo.pdf"></iframe> actually I don't know if that's expected or not? Maybe that's a separate issue.
Note You need to log in before you can comment on or make changes to this bug.