[Webkit-unassigned] [Bug 184149] Do CSP checks in the network process because redirect responses are security sensitive
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 25 10:49:59 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=184149
--- Comment #8 from Daniel Bates <dbates at webkit.org> ---
(In reply to Daniel Bates from comment #7)
> Option 2: Duplicate frame-ancestor check and all CSP checks applied to
> redirect requests in the network process.
> Advantage: Network process does not need to message web content process
> on each redirect request to ask if the load is allowed by the page's CSP
> policy; => avoid IPC.
> Disadvantage: Must duplicate all CSP checks for redirects in network
> process to avoid the need to message web content process on each redirect
> request to ask if the load is allowed by the page's CSP policy. (We may be
> able to extract some or all of the CSP checks, at least the checks in
> CachedResourceLoader, into a common functions that is used both by the
> network process and WebCore. It is non-trivial to do this refactor).
>
Filed bug #184980 to track this effort.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180425/7918447d/attachment-0001.html>
More information about the webkit-unassigned
mailing list