[webkit-reviews] review granted: [Bug 89373] Add a scheme registry for bypassing Content Security Policy. : [Attachment 148189] Crossing different fingers.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 18 16:52:47 PDT 2012
Adam Barth <abarth at webkit.org> has granted Mike West <mkwst at chromium.org>'s
request for review:
Bug 89373: Add a scheme registry for bypassing Content Security Policy.
https://bugs.webkit.org/show_bug.cgi?id=89373
Attachment 148189: Crossing different fingers.
https://bugs.webkit.org/attachment.cgi?id=148189&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=148189&action=review
>
LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme
.html:19
> + <img src="../resources/abe.png" onload="alert(this.width == 76 ? 'FAIL'
: 'PASS')">
> + <script>
> + internals.registerURLSchemeAsBypassingContentSecurityPolicy('http');
> + </script>
> + <img src="../resources/abe.png" onload="alert(this.width == 76 ? 'PASS'
: 'FAIL')">
> + <script>
> +
internals.removeURLSchemeRegisteredAsBypassingContentSecurityPolicy('http');
> + </script>
> + <img src="../resources/abe.png" onload="alert(this.width == 76 ? 'FAIL'
: 'PASS')">
The code looks good, but isn't this test racy? I guess we only check CSP when
kicking off the load and we kick off the load synchronously.... I guess the
ordering between the onload events doesn't matter because only one of them
actually happens. So, it's not racy, but for subtle reasons. Maybe that's ok.
More information about the webkit-reviews
mailing list