Bug 116067
| Summary: | CSP: Redirects in DocumentThreadableLoader should respect the active policy | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ryosuke Niwa <rniwa> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ap, beidson, bfulgham, dbates |
| Priority: | P2 | Keywords: | BlinkMergeCandidate |
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Ryosuke Niwa
We should probably merge
https://chromium.googlesource.com/chromium/blink/+/2853f594838e8bf24813482ad02f87853cae4366
CSP: Redirects in DocumentThreadableLoader should respect the active policy.
Canary currently fails test 150[1] and 156[2] of Erlend Oftedal's "CSP Testing"
checks[3]. Both fail because we currently only check the URL to which an XHR
connects during 'xhr.open()'. This patch adjusts the checks happening inside
DocumentThreadableLoader::redirectReceived in order to verify that the URL to
which we've been redirected passes through the page's Content Security Policy
as well.
[1]: http://csptesting.herokuapp.com/test/load/150
[2]: http://csptesting.herokuapp.com/test/load/156
[3]: http://csptesting.herokuapp.com/
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Daniel Bates
*** This bug has been marked as a duplicate of bug 69359 ***