Bug 106084

Summary: CSP: 'frame-src' should block redirects to invalid sources.
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Mike West <mkwst>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, japhet, mkwst+watchlist, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 103582    
Attachments:
Description Flags
Patch none

Mike West
Reported 2013-01-04 04:35:18 PST
WebKit currently fails test 95 and 101 on http://csptesting.herokuapp.com/. These test variations on whitelisting a source via a 'frame-src' directive, and then loading a whitelisted frame from that source which redirects to a non-whitelisted source. This redirection should be blocked, but currently isn't.
Attachments
Patch (6.00 KB, patch)
2013-01-04 04:38 PST, Mike West 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mike West
Comment 1 2013-01-04 04:38:22 PST
Created attachment 181289 [details] Patch
Mike West
Comment 2 2013-01-04 04:40:03 PST
Hi Adam! This patch moves the CSP check for 'frame-src' out of SubframeLoader and into PolicyChecker, which allows us to validate the whole redirect chain, and also seems like a better location semantically. FrameLoader is pretty complex, however, so I'm not actually sure I'm doing the right thing here. Would you mind taking a look? Thanks!
Adam Barth
Comment 3 2013-01-04 09:57:50 PST
Comment on attachment 181289 [details] Patch Yeah, putting this in policy checker is much better.
Mike West
Comment 4 2013-01-04 10:51:41 PST
Comment on attachment 181289 [details] Patch Glad I interpreted things correctly. Thanks for the review!
WebKit Review Bot
Comment 5 2013-01-04 11:14:42 PST
Comment on attachment 181289 [details] Patch Clearing flags on attachment: 181289 Committed r138818: <http://trac.webkit.org/changeset/138818>
WebKit Review Bot
Comment 6 2013-01-04 11:14:45 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.