[Webkit-unassigned] [Bug 153598] New: CSP: Block XHR when calling XMLHttpRequest.send() and throw network error
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 28 10:25:51 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=153598
Bug ID: 153598
Summary: CSP: Block XHR when calling XMLHttpRequest.send() and
throw network error
Classification: Unclassified
Product: WebKit
Version: WebKit Local Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: dbates at webkit.org
CC: webkit-bug-importer at group.apple.com
According to <https://w3c.github.io/webappsec-csp/2/#directive-connect-src> (29 August 2015), we should enforce the connect-src directive of the page's content security policy at the time XMLHttpRequest.send() is called and a violation of the connect-src policy should throw a network error:
[[
Whenever the user agent fetches a URL in the course of one of the following activities, if the URL does not match the allowed connection targets for the protected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained, and report a violation:
- Processing the send() method of an XMLHttpRequest object.
]]
Currently, we enforce the connect-src directive of the page's content security policy in XMLHttpRequest.open() and throw a security error.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160128/87072068/attachment.html>
More information about the webkit-unassigned
mailing list