[webkit-changes] [WebKit/WebKit] a2b811: Content Security Policy for previous load should n...
Michael Catanzaro
noreply at github.com
Wed Dec 18 10:42:42 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a2b811f9d215673ed789980acc598fd86d924e19
https://github.com/WebKit/WebKit/commit/a2b811f9d215673ed789980acc598fd86d924e19
Author: Michael Catanzaro <mcatanzaro at redhat.com>
Date: 2024-12-18 (Wed, 18 Dec 2024)
Changed paths:
M Source/WebCore/loader/DocumentWriter.cpp
M Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp
Log Message:
-----------
Content Security Policy for previous load should not apply to subsequent alternate HTML load
https://bugs.webkit.org/show_bug.cgi?id=264355
Reviewed by Ryan Reno.
A substitute data load occurs when WebKit decides to load a URL using
its own web content rather than the website's usual web content. In
practice, browsers do this when displaying error pages, such as network
error pages or TLS error pages. Since the web content is controlled by
the web browser, it is inappropriate to inherit security policy from the
triggering action.
This fixes error pages in Epiphany after visiting a website that sets
CSP. For example, visit https://duckduckgo.com/ then visit
https://expired.badssl.com/ which should display a TLS error page.
Before this commit, DuckDuckGo's CSP applies to the error page and
blocks the lock icon. CSP on other websites may also break Epiphany's
button for bypassing the certificate error, since the button uses
JavaScript.
The new test is written by Patrick Griffis (thank you!).
* Source/WebCore/loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin):
* Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp:
(testWebViewLoadAlternateHTMLFromPageWithCSP):
(beforeAll):
Canonical link: https://commits.webkit.org/288026@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list