[webkit-changes] [WebKit/WebKit] b1ba0d: Cherry-pick 288026 at main (a2b811f9d215). https://bu...

Michael Catanzaro noreply at github.com
Thu Jan 9 06:18:07 PST 2025 

  Branch: refs/heads/webkitglib/2.46
  Home:   https://github.com/WebKit/WebKit
  Commit: b1ba0d92a5a67aa46643bd6d07fa69de2bd41589
      https://github.com/WebKit/WebKit/commit/b1ba0d92a5a67aa46643bd6d07fa69de2bd41589
  Author: Michael Catanzaro <mcatanzaro at redhat.com>
  Date:   2025-01-09 (Thu, 09 Jan 2025)

  Changed paths:
    M Source/WebCore/loader/DocumentWriter.cpp
    M Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp

  Log Message:
  -----------
  Cherry-pick 288026 at main (a2b811f9d215). https://bugs.webkit.org/show_bug.cgi?id=264355

    Content Security Policy for previous load should not apply to subsequent alternate HTML load
    https://bugs.webkit.org/show_bug.cgi?id=264355

    Reviewed by Ryan Reno.

    A substitute data load occurs when WebKit decides to load a URL using
    its own web content rather than the website's usual web content. In
    practice, browsers do this when displaying error pages, such as network
    error pages or TLS error pages. Since the web content is controlled by
    the web browser, it is inappropriate to inherit security policy from the
    triggering action.

    This fixes error pages in Epiphany after visiting a website that sets
    CSP. For example, visit https://duckduckgo.com/ then visit
    https://expired.badssl.com/ which should display a TLS error page.
    Before this commit, DuckDuckGo's CSP applies to the error page and
    blocks the lock icon. CSP on other websites may also break Epiphany's
    button for bypassing the certificate error, since the button uses
    JavaScript.

    The new test is written by Patrick Griffis (thank you!).

    * Source/WebCore/loader/DocumentWriter.cpp:
    (WebCore::DocumentWriter::begin):
    * Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp:
    (testWebViewLoadAlternateHTMLFromPageWithCSP):
    (beforeAll):

    Canonical link: https://commits.webkit.org/288026@main

Canonical link: https://commits.webkit.org/282416.380@webkitglib/2.46



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list