RESOLVED FIXED154177
CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource 
https://bugs.webkit.org/show_bug.cgi?id=154177
Summary CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource
Daniel Bates
Reported 2016-02-12 11:26:07 PST
Following up from bug #112573 and bug #153748, we should remove the ENABLE(CSP_NEXT)-guard around the code in ContentSecurityPolicy::protocolMatchesSelf() so that we allow a schemeless source expression to match against a HTTP or HTTPS resource. For example, assume the page http://www.example.com has Content Security Policy script-src example.com. If the page loads an external JavaScript script https://example.com/script.js then the load will be blocked by the Content Security Policy of the page because the scheme of the page (http) differs from the scheme of the requested script (https). But the load should be allowed by <https://www.w3.org/TR/CSP2/#match-source-expression> (21 July 2015).
Attachments
Patch and Layout Tests (4.90 KB, patch)
2016-02-12 11:47 PST, Daniel Bates 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-02-12 11:26:39 PST
<rdar://problem/22708772>
Daniel Bates
Comment 2 2016-02-12 11:47:12 PST
Created attachment 271196 [details] Patch and Layout Tests
Brent Fulgham
Comment 3 2016-02-15 09:54:05 PST
Comment on attachment 271196 [details] Patch and Layout Tests r=me.
Daniel Bates
Comment 4 2016-02-15 10:53:56 PST
Comment on attachment 271196 [details] Patch and Layout Tests Clearing flags on attachment: 271196 Committed r196581: <http://trac.webkit.org/changeset/196581>
Daniel Bates
Comment 5 2016-02-15 10:53:59 PST
All reviewed patches have been landed. Closing bug.
Daniel Bates
Comment 6 2016-02-15 20:28:29 PST
*** Bug 146723 has been marked as a duplicate of this bug. ***
Czirkos Zoltan
Comment 7 2017-09-10 05:56:47 PDT
Is this patch supposed to be in iOS 9.3.5? The bug still exists on an iPhone 4 which is claiming to be up to date, although the date of closing the bug is February 2016.
Note You need to log in before you can comment on or make changes to this bug.