[Webkit-unassigned] [Bug 116067] New: CSP: Redirects in DocumentThreadableLoader should respect the active policy

Mon May 13 16:05:21 PDT 2013

https://bugs.webkit.org/show_bug.cgi?id=116067

           Summary: CSP: Redirects in DocumentThreadableLoader should
                    respect the active policy
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rniwa at webkit.org
                CC: ap at webkit.org, beidson at apple.com

We should probably merge
https://chromium.googlesource.com/chromium/blink/+/2853f594838e8bf24813482ad02f87853cae4366

CSP: Redirects in DocumentThreadableLoader should respect the active policy.

Canary currently fails test 150[1] and 156[2] of Erlend Oftedal's "CSP Testing"
checks[3]. Both fail because we currently only check the URL to which an XHR
connects during 'xhr.open()'. This patch adjusts the checks happening inside
DocumentThreadableLoader::redirectReceived in order to verify that the URL to
which we've been redirected passes through the page's Content Security Policy
as well.

[1]: http://csptesting.herokuapp.com/test/load/150
[2]: http://csptesting.herokuapp.com/test/load/156
[3]: http://csptesting.herokuapp.com/

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.