[Webkit-unassigned] [Bug 184149] Do CSP checks in the network process

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 24 17:03:48 PDT 2018


Daniel Bates <dbates at webkit.org> changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #4 from Daniel Bates <dbates at webkit.org> ---
(In reply to Daniel Bates from comment #2)
> (In reply to Ryosuke Niwa from comment #0)
> > We should be checking CSP in the network process in process-per-origin.
> Elaborating further the purpose of this bug is to perform CSP checks that
> operate on the HTTP response (e.g. frame-ancestor directive) or an HTTP
> redirect request in the network process. One of the benefits of performing
> such checks in the network process is that it avoids the need to send the
> HTTP response to the web content process for such analysis as the response
> may be for a cross-origin resource.

Deliberating on this bug some more, there are no security benefits to having all CSP checks in the network process for redirects as the initial request had to be allowed by the page's CSP (in the WebContent process) and it can be shown by inductive argument that all intermediary redirects had to be allowed by the page's CSP. There is only a security benefit to checking the frame-ancestor directive in the network process. Fixing this bug may improve performance as we could cancel a redirected load without consulting the WebContent process. However this is not stated purpose of this bug per comment 0 and it is not obvious how much a performance win moving the checks would be.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180425/635608f9/attachment.html>

More information about the webkit-unassigned mailing list