235837 – CSP: Properly block image content in object elements

Bug 235837 - CSP: Properly block image content in object elements

Summary: CSP: Properly block image content in object elements

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Patrick Griffis

URL:
Keywords:	InRadar

Duplicates (1):	181846 (view as bug list)
Depends on:
Blocks:

Reported:	2022-01-28 15:00 PST by Patrick Griffis
Modified:	2022-05-26 14:49 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (16.53 KB, patch) 2022-01-28 15:01 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Patch for landing (16.42 KB, patch) 2022-01-29 10:35 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Patch for landing (16.41 KB, patch) 2022-01-29 10:39 PST, Patrick Griffis	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Griffis 2022-01-28 15:00:09 PST

CSP: Properly block image content in object elements

Comment 1 Patrick Griffis 2022-01-28 15:01:52 PST

Created attachment 450280 [details]
Patch

Comment 2 Kate Cheney 2022-01-28 15:39:06 PST

Comment on attachment 450280 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=450280&action=review

> Source/WebCore/loader/ResourceLoaderOptions.h:150
> +enum class LoadedFromPluginElement : uint8_t {

Usually we write enums for booleans like this:

enum class LoadedFromPluginElement : bool { No, Yes };

with a "bool" specifier and the 'No' value first. I am not sure why other enums in this class do not follow that pattern, but I think we should stick with it.

> Source/WebCore/page/csp/ContentSecurityPolicy.cpp:581
> +        String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");

We should log the target URL in the console here I think. It is helpful to debug and I believe it also matches other browser behavior in general to log the target URL in the console.

Comment 3 Patrick Griffis 2022-01-29 10:35:14 PST

Created attachment 450327 [details]
Patch for landing

Comment 4 EWS 2022-01-29 10:36:27 PST

ChangeLog entry in LayoutTests/ChangeLog contains OOPS!.

Comment 5 Patrick Griffis 2022-01-29 10:39:09 PST

Created attachment 450328 [details]
Patch for landing

Comment 6 EWS 2022-01-29 11:29:09 PST

Committed r288792 (246569@main): <https://commits.webkit.org/246569@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 450328 [details].

Comment 7 Radar WebKit Bug Importer 2022-01-29 11:30:17 PST

<rdar://problem/88227274>

Comment 8 Brent Fulgham 2022-02-08 16:15:40 PST

*** Bug 181846 has been marked as a duplicate of this bug. ***

Comment 9 Brent Fulgham 2022-05-26 14:49:03 PDT

This fix shipped with Safari 15.5 (all platforms).