RESOLVED FIXED 187870
Cannot view PDF's on my.gov.au: "Refused to load https://my.gov.au/attachment/viewAttachment because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy" 
https://bugs.webkit.org/show_bug.cgi?id=187870
Summary Cannot view PDF's on my.gov.au: "Refused to load https://my.gov.au/attachment...
Daniel Bates
Reported 2018-07-20 13:56:39 PDT
Steps to reproduce: The following steps assume you have a my.gov.au account that has a message with an attachment. 1. Visit my.gov.au and sign into your account. 2. Open a message listed in your Inbox that has an attachment (signified by the presence of an icon with a paperclip to the right of the name of the message). 3. Open the attachment. Then a new window/tab opens to <https://my.gov.au/attachment/viewAttachment> and displays "Blocked Plug-in". But the contents of the attachment should have been rendered.
Attachments
Patch and layout tests (22.87 KB, patch)
2018-07-20 14:35 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews206 for win-future (13.07 MB, application/zip)
2018-07-20 17:07 PDT, EWS Watchlist 		no flags
Details
Patch and layout tests (24.29 KB, patch)
2018-07-22 15:30 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2018-07-20 13:59:00 PDT
The page that opened the new window to the attachment has the following CSP policy delivered in an HTTP header: default-src 'none'; connect-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-c4c9c3a25e9546538c72fb86046620397fcbea56' 'unsafe-inline' https://www.centrelink.gov.au; style-src 'self' 'unsafe-inline' https://www.centrelink.gov.au; form-action 'self'; plugin-types application/pdf application/x-shockwave-flash; frame-src 'self'; font-src 'self'; frame-ancestors 'none' And <https://my.gov.au/attachment/viewAttachment> does not have a CSP policy.
Daniel Bates
Comment 2 2018-07-20 14:00:20 PDT
Notice that <https://my.gov.au/attachment/viewAttachment> loads a PDF directly as a plugin document. Plugin document inherit their policy from their embedding frame or opener.
Daniel Bates
Comment 3 2018-07-20 14:00:54 PDT
<rdar://problem/41190880>
Daniel Bates
Comment 4 2018-07-20 14:35:49 PDT
Created attachment 345482 [details] Patch and layout tests
EWS Watchlist
Comment 5 2018-07-20 17:07:29 PDT
Comment on attachment 345482 [details] Patch and layout tests Attachment 345482 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8603929 New failing tests: http/tests/security/contentSecurityPolicy/same-origin-plugin-document-allowed-in-child-window.html http/tests/security/contentSecurityPolicy/same-origin-plugin-document-with-csp-blocked-in-child-window.html http/tests/security/video-poster-cross-origin-crash2.html http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window-report.php
EWS Watchlist
Comment 6 2018-07-20 17:07:41 PDT
Created attachment 345491 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Daniel Bates
Comment 7 2018-07-22 15:29:59 PDT
(In reply to Build Bot from comment #5) > Comment on attachment 345482 [details] > Patch and layout tests > > Attachment 345482 [details] did not pass win-ews (win): > Output: https://webkit-queues.webkit.org/results/8603929 > > New failing tests: > http/tests/security/contentSecurityPolicy/same-origin-plugin-document- > allowed-in-child-window.html > http/tests/security/contentSecurityPolicy/same-origin-plugin-document-with- > csp-blocked-in-child-window.html > http/tests/security/video-poster-cross-origin-crash2.html > http/tests/security/contentSecurityPolicy/same-origin-plugin-document- > blocked-in-child-window-report.php Will skip these tests for now. Plugins or plugin tests do not seem to work on Windows and we skip many (if not all) plugin tests on Windows despite <rdar://problem/5074411> being marked close (why?).
Daniel Bates
Comment 8 2018-07-22 15:30:25 PDT
Created attachment 345543 [details] Patch and layout tests
Daniel Bates
Comment 9 2018-07-24 09:29:11 PDT
Comment on attachment 345543 [details] Patch and layout tests Clearing flags on attachment: 345543 Committed r234149: <https://trac.webkit.org/changeset/234149>
Daniel Bates
Comment 10 2018-07-24 09:29:13 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.