Bug 59858 - CSP: Should only honor CSP policy delivered in meta tag that is a descendent of <head>
Summary: CSP: Should only honor CSP policy delivered in meta tag that is a descendent ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2011-04-29 18:42 PDT by Adam Barth
Modified: 2016-04-07 11:03 PDT (History)
10 users (show)

See Also:


Attachments
Patch and Layout Tests (15.23 KB, patch)
2016-04-07 10:11 PDT, Daniel Bates
bfulgham: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2011-04-29 18:42:28 PDT
We need to clarify the spec in this regard and then implement what the spec says.
Comment 1 Adam Barth 2012-05-03 17:34:51 PDT
The <meta> tag got punted to CSP 1.1 in the working group.
Comment 2 Daniel Bates 2016-03-23 11:03:42 PDT
As of <https://w3c.github.io/webappsec-csp/2/#delivery-html-meta-element (Editor’s Draft, 29 August 2015), we should only honor the CSP meta tag if it is a descendent of <head>.
Comment 3 Radar WebKit Bug Importer 2016-04-07 09:48:39 PDT
<rdar://problem/25603538>
Comment 4 Daniel Bates 2016-04-07 10:11:48 PDT
Created attachment 275893 [details]
Patch and Layout Tests
Comment 5 Brent Fulgham 2016-04-07 10:53:17 PDT
Comment on attachment 275893 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=275893&action=review

r=me

> Source/WebCore/dom/Document.h:829
> +    // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called

As long as your revising this, you might as well say "an HTTP header".

> Source/WebCore/dom/Document.h:832
> +    // specified in a HTML file.

"an HTML file."

> LayoutTests/ChangeLog:10
> +        X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>.

I assume that there are already tests that CSP features in <head> descendants work?
Comment 6 Daniel Bates 2016-04-07 10:59:20 PDT
(In reply to comment #5)
> > Source/WebCore/dom/Document.h:829
> > +    // Handles a HTTP header equivalent set by a meta tag using <meta http-equiv="..." content="...">. This is called
> 
> As long as your revising this, you might as well say "an HTTP header".
> 

Will fix before landing.

> > Source/WebCore/dom/Document.h:832
> > +    // specified in a HTML file.
> 
> "an HTML file."
> 

Will fix before landing.

> > LayoutTests/ChangeLog:10
> > +        X-WebKit-CSP, and X-WebKit-CSP-Report-Only if it is not a descendent of <head>.
> 
> I assume that there are already tests that CSP features in <head>
> descendants work?

Yes, we have many such tests. One example of a such a test is <http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked.html?rev=133095>.
Comment 7 Daniel Bates 2016-04-07 11:03:08 PDT
Committed r199163: <http://trac.webkit.org/changeset/199163>