[Webkit-unassigned] [Bug 184149] Do CSP checks in the network process

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=184149

Daniel Bates <dbates at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #4 from Daniel Bates <dbates at webkit.org> ---
(In reply to Daniel Bates from comment #2)
> (In reply to Ryosuke Niwa from comment #0)
> > We should be checking CSP in the network process in process-per-origin.
> 
> Elaborating further the purpose of this bug is to perform CSP checks that
> operate on the HTTP response (e.g. frame-ancestor directive) or an HTTP
> redirect request in the network process. One of the benefits of performing
> such checks in the network process is that it avoids the need to send the
> HTTP response to the web content process for such analysis as the response
> may be for a cross-origin resource.

Deliberating on this bug some more, there are no security benefits to having all CSP checks in the network process for redirects as the initial request had to be allowed by the page's CSP (in the WebContent process) and it can be shown by inductive argument that all intermediary redirects had to be allowed by the page's CSP. There is only a security benefit to checking the frame-ancestor directive in the network process. Fixing this bug may improve performance as we could cancel a redirected load without consulting the WebContent process. However this is not stated purpose of this bug per comment 0 and it is not obvious how much a performance win moving the checks would be.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180425/635608f9/attachment.html>