Bug 185070 - CSP: Implement `prefetch-src` directive
Summary: CSP: Implement `prefetch-src` directive
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-04-27 01:21 PDT by Yoav Weiss
Modified: 2018-04-28 19:13 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yoav Weiss 2018-04-27 01:21:02 PDT 
In order to block potential data leaks through prefetch requests, it was decided [1] that a `prefetch-src`CSP directive would be added and control such requests, and that prefetch requests would have their own `Request.initiator` and an empty string destination[2].

[1] https://github.com/w3c/webappsec-csp/issues/107
[2] https://github.com/whatwg/fetch/pull/659


Tests: http://w3c-test.org/content-security-policy/prefetch-src/
Comment 1 Radar WebKit Bug Importer 2018-04-28 19:13:00 PDT 
<rdar://problem/39821187>