[Webkit-unassigned] [Bug 273240] New: COEP supported for non-secure contexts

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 25 02:49:34 PDT 2024


https://bugs.webkit.org/show_bug.cgi?id=273240

            Bug ID: 273240
           Summary: COEP supported for non-secure contexts
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jannis.rautenstrauch at cispa.de
                CC: beidson at apple.com

The specification of COEP state that it only applies in secure contexts: https://html.spec.whatwg.org/multipage/browsers.html#coep
7.4.1.2: If environment is a non-secure context, then return policy. 


Safari seems to apply COEP regardless of the context:
Visit a top-level page with HTTPS, frame an HTTP page (that sets COEP require-corp), load resources that are not allowed due to COEP (nor CORS or CORP header), they are blocked by Safari (applies COEP in non-secure context) but not in other browsers.

Example URL: http://sub.headers.websec.saarland/_hp/tests/subresource-loading-coep.sub.html?resp_type=parsing&browser_id=1&label=COEP&first_id=20261&last_id=20265&scheme=http&t_resp_id=20263&t_element_relation=img_direct&t_resp_origin=https://headers.webappsec.eu
swag.jpg has neither CORS nor CORP and is not allowed to load.




FYI: I first reported the issue to Firefox and Chrome which follows the spec, but not applying COEP feels less secure. Firefox people mentioned it might make sense to change the spec.
Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1891692
Chrome: https://issues.chromium.org/issues/334965851

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240425/28a6061f/attachment-0001.htm>


More information about the webkit-unassigned mailing list