156935 – REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'

Bug 156935 - REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'

Summary: REGRESSION (r196012): Subresource may be blocked by Content Security Policy i...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Local Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Daniel Bates

URL:
Keywords:	InRadar, Regression

Duplicates (1):	157472 (view as bug list)
Depends on:	153748
Blocks:
	Show dependency tree / graph

Reported:	2016-04-22 16:09 PDT by Daniel Bates
Modified:	2016-06-01 23:52 PDT (History)
CC List:	8 users (show)

See Also:	157472

Attachments
Patch and Layout Tests (13.15 KB, patch) 2016-04-22 16:36 PDT, Daniel Bates	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bates 2016-04-22 16:09:39 PDT

Using WebKit r196012 or later, perform the following:

1. Visit <http://www.blogger.com> and sign in.
2. Create a new blog if you do not already have one.
3. Create a new block post by clicking the button with the pen icon

Blogger.com will navigate to the editor dashboard page and this page is almost entirely blank when it would otherwise display a document editor to create a new blog post. In the console you will see messages of the form:

[Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=1 because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=2 because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=3 because it does not appear in the script-src directive of the Content Security Policy.

Comment 1 Daniel Bates 2016-04-22 16:10:03 PDT

<rdar://problem/25351286>

Comment 2 Daniel Bates 2016-04-22 16:36:29 PDT

Created attachment 277113 [details]
Patch and Layout Tests

Even though it is not strictly necessary to call ContentSecurityPolicy::updateSourceSelf() from ContentSecurityPolicy(ScriptExecutionContext&) because we will call this function when we apply the policy to the script execution context in ContentSecurityPolicy::applyPolicyToScriptExecutionContext() I thought to do so to keep symmetry with the ContentSecurityPolicy(const SecurityOrigin&, const Frame*) constructor and this code is unlikely to be sufficiently hot in a profile. Let me know if it is preferred to omit the call to ContentSecurityPolicy::updateSourceSelf() from ContentSecurityPolicy(ScriptExecutionContext&).

Comment 3 Daniel Bates 2016-04-25 09:27:11 PDT

Committed r200030: <http://trac.webkit.org/changeset/200030>

Comment 4 Daniel Bates 2016-06-01 23:52:52 PDT

*** Bug 157472 has been marked as a duplicate of this bug. ***