[webkit-reviews] review granted: [Bug 184760] NetworkProcess should use CSP/content blockers for sync XHR : [Attachment 338271] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 19 08:55:52 PDT 2018
Chris Dumez <cdumez at apple.com> has granted youenn fablet <youennf at gmail.com>'s
request for review:
Bug 184760: NetworkProcess should use CSP/content blockers for sync XHR
https://bugs.webkit.org/show_bug.cgi?id=184760
Attachment 338271: Patch
https://bugs.webkit.org/attachment.cgi?id=338271&action=review
--- Comment #4 from Chris Dumez <cdumez at apple.com> ---
Comment on attachment 338271
--> https://bugs.webkit.org/attachment.cgi?id=338271
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=338271&action=review
r=me with comments.
>> LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html:1
>> +<head>
>
> Pleae add a <!DOCTYPE html>.
+1
>>
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests
/resources/insecure-sync-xhr-in-main-frame-window.html:1
>> +<html>
>
> Please add a <!DOCTYPE html>. Also, is this markup well formed?
+1
>
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests
/resources/insecure-sync-xhr-in-main-frame-window.html:2
> +<meta http-equiv="Content-Security-Policy"
content="upgrade-insecure-requests">
I think it'd be nicer to put the meta tag inside a <head>
>
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests
/resources/insecure-sync-xhr-in-main-frame-window.html:7
> + xhr = new XMLHttpRequest();
const xhr =
I do not think it needs to be global.
> LayoutTests/platform/mac-wk1/TestExpectations:101
> +http/tests/contentextensions/sync-xhr-redirection-blocked.html [ Skip ]
This folder is skipped globally and only enabled on mac-wk2 so this entry
should not be needed.
> LayoutTests/platform/mac-wk1/TestExpectations:102
>
+http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-in
secure-sync-xhr-in-main-frame.html [ Skip ]
I am assuming this fails on WK1 because you fixed Sync XHR + CSP for WK2 only.
I think this is fine but the comment should be clearer if this is the case.
> LayoutTests/platform/win/TestExpectations:2215
> +http/tests/contentextensions/sync-xhr-redirection-blocked.html [ Skip ]
Ditto.
> LayoutTests/platform/win/TestExpectations:2216
>
+http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-in
secure-sync-xhr-in-main-frame.html [ Skip ]
ditto.
More information about the webkit-reviews
mailing list