Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0445ac553799b27c80ebc292d372e0663ad70b8a
https://github.com/WebKit/WebKit/commit/0445ac553799b27c80ebc292d372e0663ad70b8a
Author: Ryan Reno <[email protected]>
Date: 2022-12-19 (Mon, 19 Dec 2022)
Changed paths:
M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
Log Message:
-----------
Store CSP delivered via meta tag as a valid HTTP header.
https://bugs.webkit.org/show_bug.cgi?id=249596
rdar://103170891
Reviewed by Brent Fulgham.
A CSP delivered via a meta tag could have invalid HTTP header values in it.
Take for example this:
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
script-src 'self';
img-src 'self'">
The value of the CSP header that the ContentSecurityPolicyDirectiveList will
get will be the raw
string including whitespace and most importantly newline characters. These
newline characters are
invalid characters in an HTTP header[0].
The parsing algorithm for CSP handles this appropriately and creates a valid
CSP for the document. However,
if a script in the document then creates blob URLs which are navigated to or
otherwise fetched, the Network
process will return a ResourceResponse object with a Content-Security-Policy
header that contains the newlines.
This is caught by the ResourceResponseBase::containsInvalidHTTPHeaders function
which causes the fetch to fail.
To combat this we can simply strip the newline characters from the
meta-delivered CSP and store the policy as a
valid HTTP header.
[0] https://fetch.spec.whatwg.org/#header-value
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::parse):
Canonical link: https://commits.webkit.org/258110@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
