Bug 224535 - Blob URLs should use their owner origin for CSP navigation/download checks
Summary: Blob URLs should use their owner origin for CSP navigation/download checks
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-04-14 02:49 PDT by youenn fablet
Modified: 2021-04-18 09:42 PDT (History)
7 users (show)

See Also:

Attachments
Patch (12.31 KB, patch)
2021-04-14 03:53 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
Patch (14.36 KB, patch)
2021-04-14 10:39 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
Patch (16.06 KB, patch)
2021-04-15 01:55 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
Patch for landing (13.23 KB, patch)
2021-04-16 09:03 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description youenn fablet 2021-04-14 02:49:13 PDT 
Blob URLs should use for their owner origin for CSP checks
Comment 1 youenn fablet 2021-04-14 02:50:05 PDT 
<rdar://76458106>
Comment 2 youenn fablet 2021-04-14 03:53:43 PDT 
Created attachment 425967 [details]
Patch
Comment 3 youenn fablet 2021-04-14 10:39:46 PDT 
Created attachment 426006 [details]
Patch
Comment 4 youenn fablet 2021-04-15 01:55:55 PDT 
Created attachment 426084 [details]
Patch
Comment 5 youenn fablet 2021-04-15 05:50:55 PDT 
Comment on attachment 426084 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review

> Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:135
> +    if (m_allowSelf && m_policy.urlMatchesSelf(url, equalIgnoringASCIICase(m_directiveName, ContentSecurityPolicyDirectiveNames::frameSrc)

Maybe we should store whether this is a frame src directive as a boolean.
Comment 6 Alex Christensen 2021-04-15 10:27:09 PDT 
Comment on attachment 426084 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review

> Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:136
> +))

These should be on the previous line.

> LayoutTests/platform/mac-wk1/TestExpectations:140
> +http/tests/security/frame-src-and-blob-download.https.html [ Skip ]

Why not run this test in WK1?
Comment 7 youenn fablet 2021-04-15 10:28:52 PDT 
> > LayoutTests/platform/mac-wk1/TestExpectations:140
> > +http/tests/security/frame-src-and-blob-download.https.html [ Skip ]
> 
> Why not run this test in WK1?

test runner API is not implemented in WK1.
A lot of the download tests are skipped in WK1 so I am unsure what download support there actually is in WK1.
Comment 8 Alex Christensen 2021-04-15 10:35:21 PDT 
Comment on attachment 426084 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review

> Source/WebCore/page/SecurityOrigin.cpp:270
> +            return true;

This could be replaced by ||
Comment 9 youenn fablet 2021-04-16 09:03:25 PDT 
Created attachment 426232 [details]
Patch for landing
Comment 10 EWS 2021-04-18 08:43:44 PDT 
commit-queue failed to commit attachment 426232 [details] to WebKit repository. To retry, please set cq+ flag again.
Comment 11 EWS 2021-04-18 09:42:12 PDT 
Committed r276230 (236712@main): <https://commits.webkit.org/236712@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 426232 [details].