[Webkit-unassigned] [Bug 172038] REGRESSION (r209608): Cross-origin plugin document opened in child window blocked by parent window CSP when object-src 'none' is set
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 12 16:10:16 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=172038
--- Comment #3 from Daniel Bates <dbates at webkit.org> ---
(In reply to John Wilander from comment #1)
> Thanks for reporting, Markus!
>
> Dan, what's your take?
This bug was caused by <http://trac.webkit.org/changeset/209608> (bug #15531). We should only have a plugin document loaded in a subframe inherit the CSP policy of its parent frame regardless of whether it inherits the security origin of its parent. This will allow a cross-origin plugin document loaded in a child window to be allowed to load regardless of the CSP policy of its opener.
Additional remarks:
We treat a plugin documents (direct navigation to a document that requires a plugin) as special case. In particular, a plugin document loaded in a subframe (e.g. <object>) will inherit the CSP policy of its parent page regardless of whether the document inherits the security origin of its parent page. (Bug #153160 is about changing this behavior). Following the patch for bug #15531 we apply the same inheritance policy to a plugin document loaded in a child window.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170512/28c0cf1e/attachment.html>
More information about the webkit-unassigned
mailing list