CSP: Properly block image content in object elements
Created attachment 450280 [details] Patch
Comment on attachment 450280 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450280&action=review > Source/WebCore/loader/ResourceLoaderOptions.h:150 > +enum class LoadedFromPluginElement : uint8_t { Usually we write enums for booleans like this: enum class LoadedFromPluginElement : bool { No, Yes }; with a "bool" specifier and the 'No' value first. I am not sure why other enums in this class do not follow that pattern, but I think we should stick with it. > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:581 > + String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load"); We should log the target URL in the console here I think. It is helpful to debug and I believe it also matches other browser behavior in general to log the target URL in the console.
Created attachment 450327 [details] Patch for landing
ChangeLog entry in LayoutTests/ChangeLog contains OOPS!.
Created attachment 450328 [details] Patch for landing
Committed r288792 (246569@main): <https://commits.webkit.org/246569@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450328 [details].
<rdar://problem/88227274>
*** Bug 181846 has been marked as a duplicate of this bug. ***
This fix shipped with Safari 15.5 (all platforms).