[Webkit-unassigned] [Bug 116067] New: CSP: Redirects in DocumentThreadableLoader should respect the active policy
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 13 16:05:21 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=116067
Summary: CSP: Redirects in DocumentThreadableLoader should
respect the active policy
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Page Loading
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: rniwa at webkit.org
CC: ap at webkit.org, beidson at apple.com
We should probably merge
https://chromium.googlesource.com/chromium/blink/+/2853f594838e8bf24813482ad02f87853cae4366
CSP: Redirects in DocumentThreadableLoader should respect the active policy.
Canary currently fails test 150[1] and 156[2] of Erlend Oftedal's "CSP Testing"
checks[3]. Both fail because we currently only check the URL to which an XHR
connects during 'xhr.open()'. This patch adjusts the checks happening inside
DocumentThreadableLoader::redirectReceived in order to verify that the URL to
which we've been redirected passes through the page's Content Security Policy
as well.
[1]: http://csptesting.herokuapp.com/test/load/150
[2]: http://csptesting.herokuapp.com/test/load/156
[3]: http://csptesting.herokuapp.com/
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list