[Webkit-unassigned] [Bug 69388] CSP: We don't apply img-src CSP directive on redirects for images that load using the PingLoader
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 17 14:01:02 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=69388
--- Comment #4 from Daniel Bates <dbates at webkit.org> ---
I briefly thought about this bug today. There seem to be at least two complications of the current WebKit architecture that make fixing this non-trivial: 1) the lifetime of a ping handle is different from the lifetime of the document that initiated the ping request 2) in WebKit2 ping loads are made in the network process.
Disregarding the need to emit a console message when CSP blocks a redirected ping request (would this be observable to web developers given that we are tearing down the page?), one way to avoid the need to tie the lifetime of the ping handle to the document is to have the ping handle/ping loader own a copy of the document's ContentSecurityPolicy object and use this copy to evaluate the CSP policy to determine if the redirect is allowed.
The reason it would be good to avoid having the lifetime of the ping handle be tied to the lifetime of the document is to avoid blocking the UI process/thread for a slow ping response. (Although we do not care about the response data for a ping, we do wait up to 1 minute for a response).
For completeness, if we wanted to have the lifetime of the ping handle be tied to the lifetime of the document then one idea is to move the ping handle/ping loader logic to a ResourceHandleClient-like model such that the handle calls back to the WebProcess portion of the ping loader when it needs to decide whether to take a redirect (a ResourceHandleClient::willSendRequest()-like callback). The ping loader can then query the CSP of the document to determine if the redirect is allowed.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161117/e35da8be/attachment.html>
More information about the webkit-unassigned
mailing list