<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CSP: Block XHR when calling XMLHttpRequest.send() and throw network error"

   href="https://bugs.webkit.org/show_bug.cgi?id=153598">153598</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CSP: Block XHR when calling XMLHttpRequest.send() and throw network error

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Local Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>webkit-bug-importer&#64;group.apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>According to &lt;<a href="https://w3c.github.io/webappsec-csp/2/#directive-connect-src">https://w3c.github.io/webappsec-csp/2/#directive-connect-src</a>&gt; (29 August 2015), we should enforce the connect-src directive of the page's content security policy at the time XMLHttpRequest.send() is called and a violation of the connect-src policy should throw a network error:

[[

Whenever the user agent fetches a URL in the course of one of the following activities, if the URL does not match the allowed connection targets for the protected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained, and report a violation:

    - Processing the send() method of an XMLHttpRequest object.

]]

Currently, we enforce the connect-src directive of the page's content security policy in XMLHttpRequest.open() and throw a security error.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>