CSP 'object-src' directive should correctly handle redirects.
Created attachment 164588 [details] Patch
I dislike plugins. It looks like we're mishandling plugins loaded via redirect. I'm pretty sure that the attached test should block the plugin's final URL, but it doesn't. I've dug through a bit of plugin-loading loading code, but it quickly falls into platform specific messiness. So, I'll hopefully ask you folks: is there a point inside WebKit where we can make the CSP check? If not, can you help me track down where the plugin actually gets loaded so that I can add the proper hooks (or come up with some crazy delegate structure)? Thanks!
This bug is going to be hard to fix. Plugin loading works in a very port-specific manner. I'd be inclined not to worry about this bug for a while.
(In reply to comment #3) > This bug is going to be hard to fix. Plugin loading works in a very port-specific manner. I'd be inclined not to worry about this bug for a while. I'd be less concerned about it if we were talking about fonts or something otherwise mostly benign. I don't really like having a bug in object whitelisting. *shrug* That said, I agree that it's going to be a pain to fix. :)
Unassigning myself; let's be realistic about what I'm actually working on. :/
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/5481509171494912 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Created attachment 233027 [details] Archive of layout-test-results from webkit-ews-07 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-07 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/5855960526487552 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Created attachment 233029 [details] Archive of layout-test-results from webkit-ews-01 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-01 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/5915923638648832 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Created attachment 233082 [details] Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-14 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/461891 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Created attachment 266043 [details] Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/461900 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Created attachment 266044 [details] Archive of layout-test-results from ews107 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Comment on attachment 164588 [details] Patch Attachment 164588 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/461888 New failing tests: http/tests/security/contentSecurityPolicy/object-src-redirect-blocked.html
Created attachment 266045 [details] Archive of layout-test-results from ews112 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-yosemite Platform: Mac OS X 10.10.5
Relevant: http://githubengineering.com/githubs-csp-journey/#object-src
Will fix this issue as part of the fix for bug #153154. *** This bug has been marked as a duplicate of bug 153154 ***