[webkit-reviews] review granted: [Bug 184760] NetworkProcess should use CSP/content blockers for sync XHR : [Attachment 338271] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 19 08:55:52 PDT 2018 

Chris Dumez <cdumez at apple.com> has granted youenn fablet <youennf at gmail.com>'s
request for review:
Bug 184760: NetworkProcess should use CSP/content blockers for sync XHR
https://bugs.webkit.org/show_bug.cgi?id=184760

Attachment 338271: Patch

https://bugs.webkit.org/attachment.cgi?id=338271&action=review




--- Comment #4 from Chris Dumez <cdumez at apple.com> ---
Comment on attachment 338271
  --> https://bugs.webkit.org/attachment.cgi?id=338271
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=338271&action=review

r=me with comments.

>> LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html:1
>> +<head>
> 
> Pleae add a <!DOCTYPE html>.

+1

>>
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests
/resources/insecure-sync-xhr-in-main-frame-window.html:1
>> +<html>
> 
> Please add a <!DOCTYPE html>. Also, is this markup well formed?

+1

>
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests
/resources/insecure-sync-xhr-in-main-frame-window.html:2
> +<meta http-equiv="Content-Security-Policy"
content="upgrade-insecure-requests">

I think it'd be nicer to put the meta tag inside a <head>

>
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests
/resources/insecure-sync-xhr-in-main-frame-window.html:7
> +    xhr = new XMLHttpRequest();

const xhr =

I do not think it needs to be global.

> LayoutTests/platform/mac-wk1/TestExpectations:101
> +http/tests/contentextensions/sync-xhr-redirection-blocked.html [ Skip ]

This folder is skipped globally and only enabled on mac-wk2 so this entry
should not be needed.

> LayoutTests/platform/mac-wk1/TestExpectations:102
>
+http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-in
secure-sync-xhr-in-main-frame.html [ Skip ]

I am assuming this fails on WK1 because you fixed Sync XHR + CSP for WK2 only.
I think this is fine but the comment should be clearer if this is the case.

> LayoutTests/platform/win/TestExpectations:2215
> +http/tests/contentextensions/sync-xhr-redirection-blocked.html [ Skip ]

Ditto.

> LayoutTests/platform/win/TestExpectations:2216
>
+http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-in
secure-sync-xhr-in-main-frame.html [ Skip ]

ditto.

More information about the webkit-reviews mailing list