<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CSP: Check &lt;param&gt; element values against the document's CSP before loading"

   href="https://bugs.webkit.org/show_bug.cgi?id=153153">153153</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CSP: Check &lt;param&gt; element values against the document's CSP before loading

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Local Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Keywords</th>

          <td>BlinkMergeCandidate

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>We should merge &lt;<a href="https://src.chromium.org/viewvc/blink?view=rev&amp;revision=164952">https://src.chromium.org/viewvc/blink?view=rev&amp;revision=164952</a>&gt;.

CSP: Check &lt;param&gt; element values against the document's CSP before loading.

We ought to take account of the 'param' element parsing behavior that happens in

'HTMLObjectElement'. This patch moves the pluginIsLoadable check to make that

happen.

To avoid 'setTimeout' in the test, and to align with the spec[1], this patch also

starts dispatching an 'error' event on load failure for 'object' elements.

[1]: #4.6 (&quot;If the load failed...&quot;) of <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-object-element">http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-object-element</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>