[webkit-changes] [WebKit/WebKit] a58085: Cherry-pick 0445ac553799. rdar://problem/103170891

Ryan Reno noreply at github.com
Mon Dec 19 18:35:54 PST 2022 

  Branch: refs/heads/safari-7615.1.16-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: a58085420faa7872aad9c6c8d2ce01275cbea1a1
      https://github.com/WebKit/WebKit/commit/a58085420faa7872aad9c6c8d2ce01275cbea1a1
  Author: Ryan Reno <rreno at apple.com>
  Date:   2022-12-19 (Mon, 19 Dec 2022)

  Changed paths:
    M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

  Log Message:
  -----------
  Cherry-pick 0445ac553799. rdar://problem/103170891

    Store CSP delivered via meta tag as a valid HTTP header.
    https://bugs.webkit.org/show_bug.cgi?id=249596
    rdar://103170891

    Reviewed by Brent Fulgham.

    A CSP delivered via a meta tag could have invalid HTTP header values in it. Take for example this:

    <meta http-equiv="Content-Security-Policy" content="
        default-src 'none';
        script-src 'self';
        img-src 'self'">

    The value of the CSP header that the ContentSecurityPolicyDirectiveList will get will be the raw
    string including whitespace and most importantly newline characters. These newline characters are
    invalid characters in an HTTP header[0].

    The parsing algorithm for CSP handles this appropriately and creates a valid CSP for the document. However,
    if a script in the document then creates blob URLs which are navigated to or otherwise fetched, the Network
    process will return a ResourceResponse object with a Content-Security-Policy header that contains the newlines.
    This is caught by the ResourceResponseBase::containsInvalidHTTPHeaders function which causes the fetch to fail.

    To combat this we can simply strip the newline characters from the meta-delivered CSP and store the policy as a
    valid HTTP header.

    [0] https://fetch.spec.whatwg.org/#header-value

    * Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
    (WebCore::ContentSecurityPolicyDirectiveList::parse):

    Canonical link: https://commits.webkit.org/258110@main

Canonical link: https://commits.webkit.org/257979.6@safari-7615.1.16-branch

More information about the webkit-changes mailing list