156935 – REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'

RESOLVED FIXED 156935

REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'

https://bugs.webkit.org/show_bug.cgi?id=156935

Summary REGRESSION (r196012): Subresource may be blocked by Content Security Policy i...

Daniel Bates

Reported 2016-04-22 16:09:39 PDT

Using WebKit r196012 or later, perform the following: 1. Visit <http://www.blogger.com> and sign in. 2. Create a new blog if you do not already have one. 3. Create a new block post by clicking the button with the pen icon Blogger.com will navigate to the editor dashboard page and this page is almost entirely blank when it would otherwise display a document editor to create a new blog post. In the console you will see messages of the form: [Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js because it does not appear in the script-src directive of the Content Security Policy. [Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=1 because it does not appear in the script-src directive of the Content Security Policy. [Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=2 because it does not appear in the script-src directive of the Content Security Policy. [Error] Refused to load https://www.blogger.com/static/v1/gwt/deferredjs/82FBD225E45CFA09FBE0B2E0F2D9D25B/13.cache.js?autoRetry=3 because it does not appear in the script-src directive of the Content Security Policy.

Attachments
Patch and Layout Tests (13.15 KB, patch) 2016-04-22 16:36 PDT, Daniel Bates	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2016-04-22 16:10:03 PDT

<rdar://problem/25351286>

Daniel Bates

Comment 2 2016-04-22 16:36:29 PDT

Created attachment 277113 [details] Patch and Layout Tests Even though it is not strictly necessary to call ContentSecurityPolicy::updateSourceSelf() from ContentSecurityPolicy(ScriptExecutionContext&) because we will call this function when we apply the policy to the script execution context in ContentSecurityPolicy::applyPolicyToScriptExecutionContext() I thought to do so to keep symmetry with the ContentSecurityPolicy(const SecurityOrigin&, const Frame*) constructor and this code is unlikely to be sufficiently hot in a profile. Let me know if it is preferred to omit the call to ContentSecurityPolicy::updateSourceSelf() from ContentSecurityPolicy(ScriptExecutionContext&).

Daniel Bates

Comment 3 2016-04-25 09:27:11 PDT

Committed r200030: <http://trac.webkit.org/changeset/200030>

Daniel Bates

Comment 4 2016-06-01 23:52:52 PDT

*** Bug 157472 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Daniel Bates

Reported

2016-04-22 16:09 PDT

Modified

2016-06-01 23:52 PDT History

CC List

8 users Show

URL

Keywords InRadar, Regression

Duplicates (1)

157472 View as bug list

Depends on

153748

Blocks

Dependencies

tree graph