155182 – Web Inspector: Images being blocked by CSP 2.0

Bug 155182 - Web Inspector: Images being blocked by CSP 2.0

Summary: Web Inspector: Images being blocked by CSP 2.0

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Inspector (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Joseph Pecoraro

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-03-08 12:20 PST by Joseph Pecoraro
Modified:	2016-03-08 13:56 PST (History)
CC List:	10 users (show)

See Also:

Attachments
[PATCH] Proposed Fix (1.46 KB, patch) 2016-03-08 12:21 PST, Joseph Pecoraro	no flags	Details \| Formatted Diff \| Diff
[PATCH] Better Fix (blob for font-src) (1.52 KB, patch) 2016-03-08 12:29 PST, Joseph Pecoraro	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joseph Pecoraro 2016-03-08 12:20:03 PST

* SUMMARY
All inspector images (file://) are being blocked by CSP 2.0. Warnings like:

CONSOLE ERROR Refused to load the image 'file:///Users/pecoraro/Build/Release/WebInspectorUI.framework/Resources/Images/UserInputPrompt.svg' because it violates the following Content Security Policy directive: "img-src *".

* NOTES
- Inspector includes "file:" and "blob:" image resources.

Comment 1 Radar WebKit Bug Importer 2016-03-08 12:20:50 PST

<rdar://problem/25040640>

Comment 2 Joseph Pecoraro 2016-03-08 12:21:33 PST

Created attachment 273314 [details]
[PATCH] Proposed Fix

Comment 3 Joseph Pecoraro 2016-03-08 12:29:25 PST

Created attachment 273315 [details]
[PATCH] Better Fix (blob for font-src)

Missed out on font-src blob:. Also added for media-src just in case.

Comment 4 Daniel Bates 2016-03-08 12:37:08 PST

Comment on attachment 273315 [details]
[PATCH] Better Fix (blob for font-src)

View in context: https://bugs.webkit.org/attachment.cgi?id=273315&action=review

> Source/WebInspectorUI/UserInterface/Main.html:29
> +    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * file: blob:; connect-src *; media-src * blob:; font-src * blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'">

This is OK as-is. It is unnecessary to explicitly add "blob:" to the media-src directive as * will match blob URLs.

Comment 5 WebKit Commit Bot 2016-03-08 13:56:03 PST

Comment on attachment 273315 [details]
[PATCH] Better Fix (blob for font-src)

Clearing flags on attachment: 273315

Committed r197802: <http://trac.webkit.org/changeset/197802>

Comment 6 WebKit Commit Bot 2016-03-08 13:56:07 PST

All reviewed patches have been landed.  Closing bug.