[Webkit-unassigned] [Bug 158388] New: upgrade-insecure-requests is applied after other CSP directives potentially blocking resource before upgrade is applied

Sat Jun 4 19:16:41 PDT 2016

https://bugs.webkit.org/show_bug.cgi?id=158388

            Bug ID: 158388
           Summary: upgrade-insecure-requests is applied after other CSP
                    directives potentially blocking resource before
                    upgrade is applied
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tollmanz at gmail.com
                CC: bfulgham at webkit.org

With the implementation of `upgrade-insecure-requests` in r201679, the `upgrade-insecure-requests` directive appears to be applied *after* other directives are applied, potentially blocking resources before the upgrade can be applied.

To reproduce:

1. Generate a page with the following CSP header: `default-src https:; upgrade-insecure-requests`
2. Create a HTML page, protected by the CSP in step1, that contains an `img` tag with a `src` attribute pointing to an HTTP resource, that can successfully be upgraded to an HTTPS resource via `upgrade-insecure-requests`. The following HTML document meets these requirements:

```
<html>
<head>
</head>
<body>
<img src="http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150" />
</body>
</html>
```

3. Load this page in Webkit Nightly Build and observe results
4. Change the CSP header to `upgrade-insecure-requests`
5. Load this page in Webkit Nightly Build and observe results

Expected behavior:

The `http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150` resource should be upgraded to `https://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150` and displayed without warning. Observing this test in stable Chrome and Firefox results in the desired upgrade behavior.

What happened:

The image is not displayed on the page at step #3, but is displayed for step #5, suggesting that UIR is working and is applied only after the `default-src` (and presumably other directives) are applied, leading to blocking the resource. 

The following errors are shown in the console in step #3:

[Error] Unrecognized Content-Security-Policy directive 'upgrade-insecure-requests'.
Refused to load the image 'http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

Note that the "Unrecognized CSP..." error displays on some loads, but not others. If you continually refresh, you should be able to observe it; however, the image is always blocked.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160605/9490a36d/attachment.html>