Bug 154521 - CSP: Enable base-uri directive by default
Summary: CSP: Enable base-uri directive by default
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar, WebExposed
Depends on:
Blocks:
 
Reported: 2016-02-21 15:34 PST by Daniel Bates
Modified: 2016-02-23 16:53 PST (History)
5 users (show)

See Also:


Attachments
Patch and Layout Tests (16.34 KB, patch)
2016-02-21 16:38 PST, Daniel Bates
no flags Details | Formatted Diff | Diff
Patch and Layout Tests (19.47 KB, patch)
2016-02-23 13:26 PST, Daniel Bates
bfulgham: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-02-21 15:34:02 PST
Currently the Content Security Policy base-uri directive is guarded by ENABLE(CSP_NEXT) and a runtime flag, both are disabled by default. This directive has been part of the Content Security Policy spec. since version 1.1 and other browsers, Google Chrome, have enabled it by default for some time. We should enable it by default.
Comment 1 Radar WebKit Bug Importer 2016-02-21 15:34:14 PST
<rdar://problem/24762032>
Comment 2 Daniel Bates 2016-02-21 16:38:24 PST
Created attachment 271893 [details]
Patch and Layout Tests
Comment 3 Daniel Bates 2016-02-23 13:26:17 PST
Created attachment 272046 [details]
Patch and Layout Tests

Added base-uri to the list of standard CSP directives and modified LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html to ensure that we emit a warning message when base-uri is used as a source expression.
Comment 4 Brent Fulgham 2016-02-23 14:39:26 PST
Comment on attachment 272046 [details]
Patch and Layout Tests

r=me.
Comment 5 Daniel Bates 2016-02-23 16:53:32 PST
Committed r197007: <http://trac.webkit.org/changeset/197007>