RESOLVED FIXED 159761
CSP: object-src and plugin-types directives are not respected for plugin replacements 
https://bugs.webkit.org/show_bug.cgi?id=159761
Summary CSP: object-src and plugin-types directives are not respected for plugin repl...
Mike West
Reported 2016-07-14 06:37:13 PDT
Given the following test page, I'd expect the video embed to be blocked. It isn't on iOS: ``` <!DOCTYPE html> <head> <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> </head> <body> <object width="425" height="350" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"> <embed width="425" height="350" type="application/x-shockwave-flash" src="https://www.youtube.com/v/cW44BpXpjYw" /> </object> </body> ``` I suspect that this is due to the manipulations in `//WebCore/Modules/plugins/YouTubePluginReplacement.*`? It looks like that ends up replacing the plugin with an `<iframe>`, but `frame-src` and `child-src` seem equally ineffective at blocking the video.
Attachments
Work-in-progress patch (21.47 KB, patch)
2016-07-19 17:55 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and Layout Tests (28.72 KB, patch)
2016-07-20 18:03 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews102 for mac-yosemite (896.23 KB, application/zip)
2016-07-20 18:52 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews104 for mac-yosemite-wk2 (1006.63 KB, application/zip)
2016-07-20 18:55 PDT, Build Bot 		no flags
Details
Patch and Layout Tests (28.82 KB, patch)
2016-07-21 10:33 PDT, Daniel Bates 		bfulgham: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews117 for mac-yosemite (1.47 MB, application/zip)
2016-07-21 11:36 PDT, Build Bot 		no flags
Details
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2016-07-14 06:37:39 PDT
CCing folks who might know what's up here.
Radar WebKit Bug Importer
Comment 2 2016-07-14 21:27:57 PDT
<rdar://problem/27365724>
Daniel Bates
Comment 3 2016-07-19 17:02:46 PDT
This issue effects plugin replacement content in general. We neither respect the object-src directive nor the plugin-types directive for plugin replacements. At the time of writing we have plugin replacements for YouTube flash videos and the QuickTime plugin. Currently we apply these directives to an HTML object/element that either loads an actual plugin or creates a nested browsing context (acts like an <iframe>). We also need to apply these directives when we make use of a plugin replacement.
Daniel Bates
Comment 4 2016-07-19 17:55:21 PDT
Created attachment 284074 [details] Work-in-progress patch
Daniel Bates
Comment 5 2016-07-20 18:03:29 PDT
Created attachment 284178 [details] Patch and Layout Tests
Daniel Bates
Comment 6 2016-07-20 18:05:02 PDT
The tests in attachment 284178 [details] depend on the fix for bug #159998. Otherwise, they will crash with an assertion failure in debug builds.
Build Bot
Comment 7 2016-07-20 18:52:28 PDT
Comment on attachment 284178 [details] Patch and Layout Tests Attachment 284178 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1718895 New failing tests: fast/replaced/outline-replaced-elements-offset.html fast/frames/crash-display-none-iframe-during-onbeforeload.html fast/borders/border-image-fill-no-border.html
Build Bot
Comment 8 2016-07-20 18:52:33 PDT
Created attachment 284181 [details] Archive of layout-test-results from ews102 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews102 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 9 2016-07-20 18:55:06 PDT
Comment on attachment 284178 [details] Patch and Layout Tests Attachment 284178 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1718902 New failing tests: fast/replaced/outline-replaced-elements-offset.html fast/frames/crash-display-none-iframe-during-onbeforeload.html fast/borders/border-image-fill-no-border.html
Build Bot
Comment 10 2016-07-20 18:55:10 PDT
Created attachment 284182 [details] Archive of layout-test-results from ews104 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Daniel Bates
Comment 11 2016-07-21 09:15:45 PDT
Comment on attachment 284178 [details] Patch and Layout Tests This patch is wrong.
Daniel Bates
Comment 12 2016-07-21 10:33:34 PDT
Created attachment 284227 [details] Patch and Layout Tests
Build Bot
Comment 13 2016-07-21 11:36:41 PDT
Comment on attachment 284227 [details] Patch and Layout Tests Attachment 284227 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1726362 New failing tests: security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html
Build Bot
Comment 14 2016-07-21 11:36:45 PDT
Created attachment 284235 [details] Archive of layout-test-results from ews117 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-yosemite Platform: Mac OS X 10.10.5
Daniel Bates
Comment 15 2016-07-21 12:21:44 PDT
(In reply to comment #13) > Comment on attachment 284227 [details] > Patch and Layout Tests > > Attachment 284227 [details] did not pass mac-debug-ews (mac): > Output: http://webkit-queues.webkit.org/results/1726362 > > New failing tests: > security/contentSecurityPolicy/plugins-types-allows-youtube-plugin- > replacement.html This is caused by bug #159998.
Brent Fulgham
Comment 16 2016-07-21 17:44:59 PDT
Comment on attachment 284227 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=284227&action=review Looks good to me. Please fix the spacing issue before landing. I understand the test failure is due to a different bug. > Source/WebCore/html/HTMLPlugInImageElement.cpp:786 > + document().ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : attributeWithoutSynchronization(HTMLNames::typeAttr); I think this should be intended 4 spaces.
Daniel Bates
Comment 17 2016-07-22 13:33:30 PDT
(In reply to comment #16) > Comment on attachment 284227 [details] > Patch and Layout Tests > > View in context: > https://bugs.webkit.org/attachment.cgi?id=284227&action=review > > Looks good to me. Please fix the spacing issue before landing. I understand > the test failure is due to a different bug. > > > Source/WebCore/html/HTMLPlugInImageElement.cpp:786 > > + document().ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : attributeWithoutSynchronization(HTMLNames::typeAttr); > > I think this should be intended 4 spaces. Will fix before landing.
Daniel Bates
Comment 18 2016-07-22 13:34:16 PDT
Committed r203611: <http://trac.webkit.org/changeset/203611>
Note You need to log in before you can comment on or make changes to this bug.