[Webkit-unassigned] [Bug 69359] CSP connect-src directive should block redirects
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 4 13:09:42 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=69359
--- Comment #2 from Sam Weinig <sam at webkit.org> 2011-10-04 13:09:42 PST ---
This is made slightly complicated by the fact that we don't get a chance to stop redirects in the same class that started the load. I am told this is because we don't want to block an XHR on a worker from making progress, so all policy information has to be on the ThreadableLoader itself.
One way we could do this is to make ThreadableLoader aware of either the whole ContentSecurityPolicy object (making access to it safe from multiple threads). Another is to just have a way to copy the relevant part of the policy into the loader, and have a mechanism for it provide reports. There may be other ways, but I am currently leaning toward making the ContentSecurityPolicy thread safe.
Adam, your comments are appreciated.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list