Bug 234140 - Implement step 17 of main fetch algorithm
Summary: Implement step 17 of main fetch algorithm
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Service Workers (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-12-10 03:47 PST by youenn fablet
Modified: 2021-12-13 01:19 PST (History)
8 users (show)

See Also:


Attachments
Patch (6.70 KB, patch)
2021-12-10 03:51 PST, youenn fablet
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description youenn fablet 2021-12-10 03:47:05 PST
Implement step 17 of main fetch algorithm
Comment 1 youenn fablet 2021-12-10 03:51:01 PST
Created attachment 446708 [details]
Patch
Comment 2 EWS Watchlist 2021-12-10 03:51:50 PST
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Comment 3 Brent Fulgham 2021-12-10 08:34:58 PST
Comment on attachment 446708 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=446708&action=review

r=me

> LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers:1
> +Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}; connect-src 'unsafe-inline' 'self'

Do you know if this new connect-src rule is needed because of a bug in our CSP implementation?
Comment 4 youenn fablet 2021-12-10 08:42:14 PST
(In reply to Brent Fulgham from comment #3)
> Comment on attachment 446708 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=446708&action=review
> 
> r=me
> 
> > LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers:1
> > +Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}; connect-src 'unsafe-inline' 'self'
> 
> Do you know if this new connect-src rule is needed because of a bug in our
> CSP implementation?

It is needed because the rule was only about image and we are now adding a restriction to fetch loads as well.
Comment 5 youenn fablet 2021-12-13 00:48:23 PST
<rdar://problem/85388372>
Comment 6 EWS 2021-12-13 01:19:39 PST
Committed r286940 (245165@main): <https://commits.webkit.org/245165@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 446708 [details].