185367 – CSP should be passed the referrer

Bug 185367 - CSP should be passed the referrer

Summary: CSP should be passed the referrer

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Local Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Daniel Bates

URL:
Keywords:	InRadar

Depends on:
Blocks:	185380
	Show dependency tree / graph

Reported:	2018-05-06 16:20 PDT by Daniel Bates
Modified:	2018-05-07 10:53 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (20.62 KB, patch) 2018-05-06 16:35 PDT, Daniel Bates	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bates 2018-05-06 16:20:04 PDT

A ContentSecurityPolicy object currently depends on either a ScriptExecutionContext or a Frame in order to perform logging, dispatch DOM events, and send CSP reports. Ideally, we want it be dependent on a delegate to perform these operations so that we can implement them appropriate for workers and with respect to the NetworkProcess. Notice that class Document extends ScriptExecutionContext. For documents, one of the reasons the class ContentSecurityPolicy has a dependency on ScriptExecutionContext is because it needs to know the document's referrer when dispatching DOM events and sending CSP reports for violations. It is sufficient to pass the referrer information to a ContentSecurityPolicy directly instead of having ContentSecurityPolicy indirectly query this information from the specified ScriptExecutionContext or Frame. This will also make it straightforward to correctly compute the referrer for a worker in a subsequent bug.

Comment 1 Daniel Bates 2018-05-06 16:35:40 PDT

Created attachment 339695 [details]
Patch

Comment 2 Daniel Bates 2018-05-06 17:26:55 PDT

(In reply to Daniel Bates from comment #0)
> Ideally, we want it be dependent on a delegate
> to perform these operations so that we can implement them appropriate for
> workers and with respect to the NetworkProcess. Notice that class Document
> extends ScriptExecutionContext.


This should read:

Ideally, we want it to be dependent only on a delegate to perform these operations so that we can implement them appropriately for workers and with respect to the NetworkProcess. 


> This will also make it straightforward to correctly compute the referrer for a worker in a subsequent bug.

Disregard this remark. Only documents have a referrer. That is, workers do not have a referrer.

Comment 3 Per Arne Vollan 2018-05-07 10:48:17 PDT

Comment on attachment 339695 [details]
Patch

R=me. Do we already have test coverage for this?

Comment 4 Daniel Bates 2018-05-07 10:50:58 PDT

(In reply to Per Arne Vollan from comment #3)
> Do we already have test coverage for this?

Yes, we do.

Comment 5 Daniel Bates 2018-05-07 10:52:40 PDT

Comment on attachment 339695 [details]
Patch

Clearing flags on attachment: 339695

Committed r231445: <https://trac.webkit.org/changeset/231445>

Comment 6 Daniel Bates 2018-05-07 10:52:42 PDT

All reviewed patches have been landed.  Closing bug.

Comment 7 Radar WebKit Bug Importer 2018-05-07 10:53:26 PDT

<rdar://problem/40028310>