Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a2b811f9d215673ed789980acc598fd86d924e19
https://github.com/WebKit/WebKit/commit/a2b811f9d215673ed789980acc598fd86d924e19
Author: Michael Catanzaro <[email protected]>
Date: 2024-12-18 (Wed, 18 Dec 2024)
Changed paths:
M Source/WebCore/loader/DocumentWriter.cpp
M Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp
Log Message:
-----------
Content Security Policy for previous load should not apply to subsequent
alternate HTML load
https://bugs.webkit.org/show_bug.cgi?id=264355
Reviewed by Ryan Reno.
A substitute data load occurs when WebKit decides to load a URL using
its own web content rather than the website's usual web content. In
practice, browsers do this when displaying error pages, such as network
error pages or TLS error pages. Since the web content is controlled by
the web browser, it is inappropriate to inherit security policy from the
triggering action.
This fixes error pages in Epiphany after visiting a website that sets
CSP. For example, visit https://duckduckgo.com/ then visit
https://expired.badssl.com/ which should display a TLS error page.
Before this commit, DuckDuckGo's CSP applies to the error page and
blocks the lock icon. CSP on other websites may also break Epiphany's
button for bypassing the certificate error, since the button uses
JavaScript.
The new test is written by Patrick Griffis (thank you!).
* Source/WebCore/loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin):
* Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp:
(testWebViewLoadAlternateHTMLFromPageWithCSP):
(beforeAll):
Canonical link: https://commits.webkit.org/288026@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes