[webkit-reviews] review granted: [Bug 235837] CSP: Properly block image content in object elements : [Attachment 450280] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 28 15:39:06 PST 2022

Kate Cheney <katherine_cheney at apple.com> has granted Patrick Griffis
<pgriffis at igalia.com>'s request for review:
Bug 235837: CSP: Properly block image content in object elements

Attachment 450280: Patch


--- Comment #2 from Kate Cheney <katherine_cheney at apple.com> ---
Comment on attachment 450280
  --> https://bugs.webkit.org/attachment.cgi?id=450280

View in context: https://bugs.webkit.org/attachment.cgi?id=450280&action=review

> Source/WebCore/loader/ResourceLoaderOptions.h:150
> +enum class LoadedFromPluginElement : uint8_t {

Usually we write enums for booleans like this:

enum class LoadedFromPluginElement : bool { No, Yes };

with a "bool" specifier and the 'No' value first. I am not sure why other enums
in this class do not follow that pattern, but I think we should stick with it.

> Source/WebCore/page/csp/ContentSecurityPolicy.cpp:581
> +	   String consoleMessage =
consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");

We should log the target URL in the console here I think. It is helpful to
debug and I believe it also matches other browser behavior in general to log
the target URL in the console.

More information about the webkit-reviews mailing list