Bug 155505 - Skip Content Security Policy check for a media request using standard schemes initiated from an element in user agent shadow tree
Summary: Skip Content Security Policy check for a media request using standard schemes...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-03-15 12:34 PDT by Daniel Bates
Modified: 2017-06-20 15:04 PDT (History)
4 users (show)

See Also:


Attachments
Patch (4.37 KB, patch)
2017-06-16 16:02 PDT, Daniel Bates
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-03-15 12:34:06 PDT
We should explicitly skip enforcing the Content Security Policy (CSP) of the page for media loads that are initiated by an element in a user-agent shadow tree because such elements are considered an implementation detail and should not be exposed to web developers. Currently we implicitly skip enforcement of CSP because media resources are treated as raw resources and we do not apply CSP to raw resources.
Comment 1 Daniel Bates 2016-03-15 12:34:34 PDT
<rdar://problem/25169452>
Comment 2 Alex Christensen 2016-03-15 23:26:06 PDT
See https://bugs.webkit.org/show_bug.cgi?id=155509
Comment 3 Daniel Bates 2017-06-16 15:53:43 PDT
Split off skip enforcing the Content Security Policy (CSP) for media requests to blob: and other external schemes to bug #173498.
Comment 4 Daniel Bates 2017-06-16 16:02:18 PDT
Created attachment 313151 [details]
Patch
Comment 5 Brent Fulgham 2017-06-20 14:53:02 PDT
Comment on attachment 313151 [details]
Patch

r=me
Comment 6 Daniel Bates 2017-06-20 15:04:36 PDT
Comment on attachment 313151 [details]
Patch

Clearing flags on attachment: 313151

Committed r218609: <http://trac.webkit.org/changeset/218609>
Comment 7 Daniel Bates 2017-06-20 15:04:37 PDT
All reviewed patches have been landed.  Closing bug.