RESOLVED FIXED 92396
Images loaded via object elements should be governed by the 'object-src' CSP directive. 
https://bugs.webkit.org/show_bug.cgi?id=92396
Summary Images loaded via object elements should be governed by the 'object-src' CSP ...
Mike West
Reported 2012-07-26 10:36:13 PDT
The attached test gives results that I don't understand; I think that setting `object-src 'none'` should block the image from being loaded via the `object` tag (see the spec: "It is not required that the consumer of the element's data be a plugin in order for the object-src directive to be enforced. ..."). I'm not sure if the behavior I'm seeing is a bug in my understanding of plugins, or a bug in our CSP implementations (or a bug in my test, I suppose).
Attachments
Broken test. (2.19 KB, patch)
2012-07-26 10:42 PDT, Mike West 		no flags
DetailsFormatted DiffDiff
Patch (4.86 KB, patch)
2012-08-26 03:41 PDT, Mike West 		jochen: review-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2012-07-26 10:40:31 PDT
It's likely a bug in our implementation. This is a tricky corner case.
Mike West
Comment 2 2012-07-26 10:42:10 PDT
Created attachment 154685 [details] Broken test.
Mike West
Comment 3 2012-07-26 10:43:53 PDT
Ok. Then I'll take a look at solving it. At some point. Possibly soon, as this makes it tough to test `plugin-types`. Any idea where I might want to start looking? :)
Mike West
Comment 4 2012-07-26 10:50:58 PDT
CCing Bernhard and Jochen, who both know things about plugins. :)
Mike West
Comment 5 2012-07-26 10:51:24 PDT
*ahem* Bernhard _and Jochen_.
Mike West
Comment 6 2012-08-26 03:41:31 PDT
Created attachment 160598 [details] Patch
Mike West
Comment 7 2012-08-26 03:47:05 PDT
The attached patch is a first pass at running image content through CSP even if it's loaded via an object element. I'm not convinced that this is the right place for the check, but I'm not sure where else to put it. ImageLoader seems like the wrong place and anything else is too late. *shrug* WDYT?
jochen
Comment 8 2012-08-27 04:12:42 PDT
Comment on attachment 160598 [details] Patch I believe that this is the wrong place, as this won't catch redirects. What about adding a callback to ImageLoaderClient to do the CSP checks on redirects?
Mike West
Comment 9 2012-08-27 10:18:43 PDT
(In reply to comment #8) > (From update of attachment 160598 [details]) > I believe that this is the wrong place, as this won't catch redirects. > > What about adding a callback to ImageLoaderClient to do the CSP checks on redirects? Hrm. If I'm understanding the layout of things correctly, this would involve switching up some of the CSP checks in CachedResourceLoader::canRequest to call out to the relevant XXXLoaderClient (that is, the various HTMLXXXElement objects), kinda like we did in MainResourceLoader::willSendRequest for 'form-action' a few patches back... Is that the structure you're thinking of, Jochen?
jochen
Comment 10 2012-08-28 00:07:28 PDT
(In reply to comment #9) > (In reply to comment #8) > > (From update of attachment 160598 [details] [details]) > > I believe that this is the wrong place, as this won't catch redirects. > > > > What about adding a callback to ImageLoaderClient to do the CSP checks on redirects? > > Hrm. If I'm understanding the layout of things correctly, this would involve switching up some of the CSP checks in CachedResourceLoader::canRequest to call out to the relevant XXXLoaderClient (that is, the various HTMLXXXElement objects), kinda like we did in MainResourceLoader::willSendRequest for 'form-action' a few patches back... > > Is that the structure you're thinking of, Jochen? The alternative would be to teach the CachedResourceLoader about images that are loaded via an object tag. Not sure which solution is better.
Mike West
Comment 11 2012-08-28 00:11:51 PDT
(In reply to comment #10) > (In reply to comment #9) > > (In reply to comment #8) > > > (From update of attachment 160598 [details] [details] [details]) > > > I believe that this is the wrong place, as this won't catch redirects. > > > > > > What about adding a callback to ImageLoaderClient to do the CSP checks on redirects? > > > > Hrm. If I'm understanding the layout of things correctly, this would involve switching up some of the CSP checks in CachedResourceLoader::canRequest to call out to the relevant XXXLoaderClient (that is, the various HTMLXXXElement objects), kinda like we did in MainResourceLoader::willSendRequest for 'form-action' a few patches back... > > > > Is that the structure you're thinking of, Jochen? > > The alternative would be to teach the CachedResourceLoader about images that are loaded via an object tag. Not sure which solution is better. Naah, CachedResourceLoader is complicated enough already. :) I'll try to fiddle around with the HTMLXXXElement structure sometime this week. Thanks!
Mike West
Comment 12 2013-02-07 11:00:44 PST
Unassigning myself; let's be realistic about what I'm actually working on. :/
Radar WebKit Bug Importer
Comment 13 2016-02-18 15:26:55 PST
<rdar://problem/24730219>
Patrick Griffis
Comment 14 2022-02-03 10:42:59 PST
Fixed by r288792
Note You need to log in before you can comment on or make changes to this bug.