RESOLVED REMIND 88883
"view-source" URI scheme & Content Security Policy (CSP) 
https://bugs.webkit.org/show_bug.cgi?id=88883
Summary "view-source" URI scheme & Content Security Policy (CSP)
Ashar Javed
Reported 2012-06-12 10:16:22 PDT
"view-source" shows the source code of the page i.e., view-source:http://www.mobilefuxx.de. "view-source" URI scheme was unable to load the source code of the page if Content Security Policy (CSP) is in place. I have a CSP test-bed at http://www.mobilefuxx.de/csp/xsstest/test.php , On http://www.mobilefuxx.de/csp/xsstest/test.php, I have a CSP policy 'self' for every type of resource. If I use: <iframe src="http://www.mobilefuxx.de/"></iframe> It works fine because the URI corresponds to 'self'. But if I use "view-source": <iframe src="view-source:http://www.mobilefuxx.de/"></iframe> It does not work & I got false positive errors/warnings. I think it should display the source code because I am asking for source code of URI that corresponds to 'self'. Would you please look into the issue? Thanks!
Attachments
Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2012-06-12 10:47:22 PDT
Are you sure this has to do with CSP? The view-source doesn't seem to work even with sites that don't use CSP: data:text/html,<iframe src="view-source:http://www.example.com/"></iframe> By contrast, the viewsource attribute does appear to work with your site. data:text/html,<iframe viewsource src="http://www.mobilefuxx.de/csp/xsstest/test.php"></iframe>
Adam Barth
Comment 2 2012-06-12 10:49:00 PDT
Oh, you meant typing in the box. If you type the following in the box: <iframe viewsource src="http://www.mobilefuxx.de/"></iframe> It works fine... Maybe I'm still not quite understanding the issue.
Ashar Javed
Comment 3 2012-06-12 10:52:06 PDT
(In reply to comment #2) > Oh, you meant typing in the box. If you type the following in the box: > > <iframe viewsource src="http://www.mobilefuxx.de/"></iframe> > > It works fine... Maybe I'm still not quite understanding the issue. Thanks Adam. It works fine by adding the word "src". Again Thanks!
Ashar Javed
Comment 4 2012-06-13 15:19:20 PDT
Adam, there is some discussion related to the same issue (I have found on Firefox) on Mozilla Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=762795). Would you please un-hide the bug or cc "Daniel Veditz"? Would you please check the discussion? Thanks!
Adam Barth
Comment 5 2012-06-13 17:47:24 PDT
Done.
Radar WebKit Bug Importer
Comment 6 2012-06-15 12:58:22 PDT
<rdar://problem/11679312>
Note You need to log in before you can comment on or make changes to this bug.