[Webkit-unassigned] [Bug 264355] Content Security Policy for previous load should not apply to subsequent alternate HTML load
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 21 15:22:20 PST 2024
https://bugs.webkit.org/show_bug.cgi?id=264355
Ryan Reno <rreno at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rreno at apple.com
--- Comment #8 from Ryan Reno <rreno at apple.com> ---
The inheritance behavior comes from this spec algorithm:
https://html.spec.whatwg.org/multipage/browsers.html#determining-navigation-params-policy-container
In particular, a navigation to a local scheme is supposed to inherit from the initiator's policy which is what's happening here. Looks like the user agent is navigating to an about: scheme which has some CSS and/or JS which is being blocked by the pre-existing CSP.
I wonder if maybe the sourceDocument from the spec in this case should be something other than the document being navigated away from. Like maybe there's some other spec interaction I didn't consider that covers this case. At any rate, an exception for the case of loading alternate HTML seems reasonable.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241121/ce79350c/attachment.htm>
More information about the webkit-unassigned
mailing list