<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - CSP: Neither `object-src` nor `frame-src` blocks YouTube videos on iOS."
   href="https://bugs.webkit.org/show_bug.cgi?id=159761">159761</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>CSP: Neither `object-src` nor `frame-src` blocks YouTube videos on iOS.
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Nightly Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>WebCore Misc.
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>mkwst&#64;chromium.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Given the following test page, I'd expect the video embed to be blocked. It isn't on iOS:

```
&lt;!DOCTYPE html&gt;
&lt;head&gt;
  &lt;meta http-equiv=&quot;Content-Security-Policy&quot; content=&quot;object-src 'none'&quot;&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;object width=&quot;425&quot; height=&quot;350&quot; classid=&quot;clsid:d27cdb6e-ae6d-11cf-96b8-444553540000&quot; codebase=&quot;<a href="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0">http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0</a>&quot;&gt;
  &lt;embed width=&quot;425&quot; height=&quot;350&quot; type=&quot;application/x-shockwave-flash&quot; src=&quot;<a href="https://www.youtube.com/v/cW44BpXpjYw">https://www.youtube.com/v/cW44BpXpjYw</a>&quot; /&gt;
&lt;/object&gt;
&lt;/body&gt;
```

I suspect that this is due to the manipulations in `//WebCore/Modules/plugins/YouTubePluginReplacement.*`? It looks like that ends up replacing the plugin with an `&lt;iframe&gt;`, but `frame-src` and `child-src` seem equally ineffective at blocking the video.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>