Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a2b811f9d215673ed789980acc598fd86d924e19
      
https://github.com/WebKit/WebKit/commit/a2b811f9d215673ed789980acc598fd86d924e19
  Author: Michael Catanzaro <[email protected]>
  Date:   2024-12-18 (Wed, 18 Dec 2024)

  Changed paths:
    M Source/WebCore/loader/DocumentWriter.cpp
    M Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp

  Log Message:
  -----------
  Content Security Policy for previous load should not apply to subsequent 
alternate HTML load
https://bugs.webkit.org/show_bug.cgi?id=264355

Reviewed by Ryan Reno.

A substitute data load occurs when WebKit decides to load a URL using
its own web content rather than the website's usual web content. In
practice, browsers do this when displaying error pages, such as network
error pages or TLS error pages. Since the web content is controlled by
the web browser, it is inappropriate to inherit security policy from the
triggering action.

This fixes error pages in Epiphany after visiting a website that sets
CSP. For example, visit https://duckduckgo.com/ then visit
https://expired.badssl.com/ which should display a TLS error page.
Before this commit, DuckDuckGo's CSP applies to the error page and
blocks the lock icon. CSP on other websites may also break Epiphany's
button for bypassing the certificate error, since the button uses
JavaScript.

The new test is written by Patrick Griffis (thank you!).

* Source/WebCore/loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin):
* Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp:
(testWebViewLoadAlternateHTMLFromPageWithCSP):
(beforeAll):

Canonical link: https://commits.webkit.org/288026@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to