Blob URLs should use for their owner origin for CSP checks
<rdar://76458106>
Created attachment 425967 [details] Patch
Created attachment 426006 [details] Patch
Created attachment 426084 [details] Patch
Comment on attachment 426084 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review > Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:135 > + if (m_allowSelf && m_policy.urlMatchesSelf(url, equalIgnoringASCIICase(m_directiveName, ContentSecurityPolicyDirectiveNames::frameSrc) Maybe we should store whether this is a frame src directive as a boolean.
Comment on attachment 426084 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review > Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:136 > +)) These should be on the previous line. > LayoutTests/platform/mac-wk1/TestExpectations:140 > +http/tests/security/frame-src-and-blob-download.https.html [ Skip ] Why not run this test in WK1?
> > LayoutTests/platform/mac-wk1/TestExpectations:140 > > +http/tests/security/frame-src-and-blob-download.https.html [ Skip ] > > Why not run this test in WK1? test runner API is not implemented in WK1. A lot of the download tests are skipped in WK1 so I am unsure what download support there actually is in WK1.
Comment on attachment 426084 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426084&action=review > Source/WebCore/page/SecurityOrigin.cpp:270 > + return true; This could be replaced by ||
Created attachment 426232 [details] Patch for landing
commit-queue failed to commit attachment 426232 [details] to WebKit repository. To retry, please set cq+ flag again.
Committed r276230 (236712@main): <https://commits.webkit.org/236712@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426232 [details].