Bug 97030 - CSP 'object-src' directive should correctly handle redirects.
Summary: CSP 'object-src' directive should correctly handle redirects.
Status: RESOLVED DUPLICATE of bug 153154
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-18 11:18 PDT by Mike West
Modified: 2016-04-14 17:39 PDT (History)
9 users (show)

See Also:

Attachments
Patch (2.41 KB, patch)
2012-09-18 11:19 PDT, Mike West 		buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion (505.21 KB, application/zip)
2014-06-12 22:12 PDT, Build Bot 		no flags Details
Archive of layout-test-results from webkit-ews-01 for mac-mountainlion (505.25 KB, application/zip)
2014-06-12 23:11 PDT, Build Bot 		no flags Details
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2 (526.75 KB, application/zip)
2014-06-13 15:18 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews101 for mac-yosemite (873.40 KB, application/zip)
2015-11-21 22:12 PST, Build Bot 		no flags Details
Archive of layout-test-results from ews107 for mac-yosemite-wk2 (767.93 KB, application/zip)
2015-11-21 22:16 PST, Build Bot 		no flags Details
Archive of layout-test-results from ews112 for mac-yosemite (772.45 KB, application/zip)
2015-11-21 22:20 PST, Build Bot 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2012-09-18 11:18:06 PDT 
CSP 'object-src' directive should correctly handle redirects.
Comment 1 Mike West 2012-09-18 11:19:02 PDT 
Created attachment 164588 [details]
Patch
Comment 2 Mike West 2012-09-18 11:27:38 PDT 
I dislike plugins.

It looks like we're mishandling plugins loaded via redirect. I'm pretty sure that the attached test should block the plugin's final URL, but it doesn't. I've dug through a bit of plugin-loading loading code, but it quickly falls into platform specific messiness.

So, I'll hopefully ask you folks: is there a point inside WebKit where we can make the CSP check? If not, can you help me track down where the plugin actually gets loaded so that I can add the proper hooks (or come up with some crazy delegate structure)?

Thanks!
Comment 3 Adam Barth 2012-09-19 11:10:43 PDT 
This bug is going to be hard to fix.  Plugin loading works in a very port-specific manner.  I'd be inclined not to worry about this bug for a while.
Comment 4 Mike West 2012-09-20 01:55:41 PDT 
(In reply to comment #3)
> This bug is going to be hard to fix.  Plugin loading works in a very port-specific manner.  I'd be inclined not to worry about this bug for a while.

I'd be less concerned about it if we were talking about fonts or something otherwise mostly benign. I don't really like having a bug in object whitelisting. *shrug* That said, I agree that it's going to be a pain to fix. :)
Comment 5 Mike West 2013-02-07 11:00:45 PST 
Unassigning myself; let's be realistic about what I'm actually working on. :/
Comment 6 Build Bot 2014-06-12 22:12:08 PDT 
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5481509171494912

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 7 Build Bot 2014-06-12 22:12:13 PDT 
Created attachment 233027 [details]
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-07  Port: mac-mountainlion  Platform: Mac OS X 10.8.5
Comment 8 Build Bot 2014-06-12 23:11:11 PDT 
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5855960526487552

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 9 Build Bot 2014-06-12 23:11:15 PDT 
Created attachment 233029 [details]
Archive of layout-test-results from webkit-ews-01 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-01  Port: mac-mountainlion  Platform: Mac OS X 10.8.5
Comment 10 Build Bot 2014-06-13 15:17:59 PDT 
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/5915923638648832

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 11 Build Bot 2014-06-13 15:18:03 PDT 
Created attachment 233082 [details]
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-14  Port: mac-mountainlion-wk2  Platform: Mac OS X 10.8.5
Comment 12 Build Bot 2015-11-21 22:12:35 PST 
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/461891

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 13 Build Bot 2015-11-21 22:12:38 PST 
Created attachment 266043 [details]
Archive of layout-test-results from ews101 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 14 Build Bot 2015-11-21 22:16:09 PST 
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/461900

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 15 Build Bot 2015-11-21 22:16:13 PST 
Created attachment 266044 [details]
Archive of layout-test-results from ews107 for mac-yosemite-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-yosemite-wk2  Platform: Mac OS X 10.10.5
Comment 16 Build Bot 2015-11-21 22:20:07 PST 
Comment on attachment 164588 [details]
Patch

Attachment 164588 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/461888

New failing tests:
http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Comment 17 Build Bot 2015-11-21 22:20:10 PST 
Created attachment 266045 [details]
Archive of layout-test-results from ews112 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 18 Chris Rebert 2016-04-12 12:01:04 PDT 
Relevant: http://githubengineering.com/githubs-csp-journey/#object-src
Comment 19 Daniel Bates 2016-04-14 17:39:19 PDT 
Will fix this issue as part of the fix for bug #153154.

*** This bug has been marked as a duplicate of bug 153154 ***