<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - upgrade-insecure-requests is applied after other CSP directives potentially blocking resource before upgrade is applied"
href="https://bugs.webkit.org/show_bug.cgi?id=158388">158388</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>upgrade-insecure-requests is applied after other CSP directives potentially blocking resource before upgrade is applied
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>New Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>tollmanz@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>bfulgham@webkit.org
</td>
</tr></table>
<p>
<div>
<pre>With the implementation of `upgrade-insecure-requests` in r201679, the `upgrade-insecure-requests` directive appears to be applied *after* other directives are applied, potentially blocking resources before the upgrade can be applied.
To reproduce:
1. Generate a page with the following CSP header: `default-src https:; upgrade-insecure-requests`
2. Create a HTML page, protected by the CSP in step1, that contains an `img` tag with a `src` attribute pointing to an HTTP resource, that can successfully be upgraded to an HTTPS resource via `upgrade-insecure-requests`. The following HTML document meets these requirements:
```
<html>
<head>
</head>
<body>
<img src="<a href="http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150">http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150</a>" />
</body>
</html>
```
3. Load this page in Webkit Nightly Build and observe results
4. Change the CSP header to `upgrade-insecure-requests`
5. Load this page in Webkit Nightly Build and observe results
Expected behavior:
The `<a href="http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150">http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150</a>` resource should be upgraded to `<a href="https://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150">https://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150</a>` and displayed without warning. Observing this test in stable Chrome and Firefox results in the desired upgrade behavior.
What happened:
The image is not displayed on the page at step #3, but is displayed for step #5, suggesting that UIR is working and is applied only after the `default-src` (and presumably other directives) are applied, leading to blocking the resource.
The following errors are shown in the console in step #3:
[Error] Unrecognized Content-Security-Policy directive 'upgrade-insecure-requests'.
Refused to load the image '<a href="http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150">http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150</a>' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
Note that the "Unrecognized CSP..." error displays on some loads, but not others. If you continually refresh, you should be able to observe it; however, the image is always blocked.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>