[Webkit-unassigned] [Bug 159761] New: CSP: Neither `object-src` nor `frame-src` blocks YouTube videos on iOS.

Thu Jul 14 06:37:13 PDT 2016

https://bugs.webkit.org/show_bug.cgi?id=159761

            Bug ID: 159761
           Summary: CSP: Neither `object-src` nor `frame-src` blocks
                    YouTube videos on iOS.
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mkwst at chromium.org

Given the following test page, I'd expect the video embed to be blocked. It isn't on iOS:

```
<!DOCTYPE html>
<head>
  <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
</head>
<body>
<object width="425" height="350" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0">
  <embed width="425" height="350" type="application/x-shockwave-flash" src="https://www.youtube.com/v/cW44BpXpjYw" />
</object>
</body>
```

I suspect that this is due to the manipulations in `//WebCore/Modules/plugins/YouTubePluginReplacement.*`? It looks like that ends up replacing the plugin with an `<iframe>`, but `frame-src` and `child-src` seem equally ineffective at blocking the video.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160714/79330456/attachment.html>