[webkit-changes] [WebKit/WebKit] a58085: Cherry-pick 0445ac553799. rdar://problem/103170891
Ryan Reno
noreply at github.com
Mon Dec 19 18:35:54 PST 2022
Branch: refs/heads/safari-7615.1.16-branch
Home: https://github.com/WebKit/WebKit
Commit: a58085420faa7872aad9c6c8d2ce01275cbea1a1
https://github.com/WebKit/WebKit/commit/a58085420faa7872aad9c6c8d2ce01275cbea1a1
Author: Ryan Reno <rreno at apple.com>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
Log Message:
-----------
Cherry-pick 0445ac553799. rdar://problem/103170891
Store CSP delivered via meta tag as a valid HTTP header.
https://bugs.webkit.org/show_bug.cgi?id=249596
rdar://103170891
Reviewed by Brent Fulgham.
A CSP delivered via a meta tag could have invalid HTTP header values in it. Take for example this:
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
script-src 'self';
img-src 'self'">
The value of the CSP header that the ContentSecurityPolicyDirectiveList will get will be the raw
string including whitespace and most importantly newline characters. These newline characters are
invalid characters in an HTTP header[0].
The parsing algorithm for CSP handles this appropriately and creates a valid CSP for the document. However,
if a script in the document then creates blob URLs which are navigated to or otherwise fetched, the Network
process will return a ResourceResponse object with a Content-Security-Policy header that contains the newlines.
This is caught by the ResourceResponseBase::containsInvalidHTTPHeaders function which causes the fetch to fail.
To combat this we can simply strip the newline characters from the meta-delivered CSP and store the policy as a
valid HTTP header.
[0] https://fetch.spec.whatwg.org/#header-value
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::parse):
Canonical link: https://commits.webkit.org/258110@main
Canonical link: https://commits.webkit.org/257979.6@safari-7615.1.16-branch
More information about the webkit-changes
mailing list