[webkit-changes] [WebKit/WebKit] b1ba0d: Cherry-pick 288026@main (a2b811f9d215). https://bu...

Thu, 09 Jan 2025 06:18:31 -0800 

  Branch: refs/heads/webkitglib/2.46
  Home:   https://github.com/WebKit/WebKit
  Commit: b1ba0d92a5a67aa46643bd6d07fa69de2bd41589
      
https://github.com/WebKit/WebKit/commit/b1ba0d92a5a67aa46643bd6d07fa69de2bd41589
  Author: Michael Catanzaro <[email protected]>
  Date:   2025-01-09 (Thu, 09 Jan 2025)

  Changed paths:
    M Source/WebCore/loader/DocumentWriter.cpp
    M Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp

  Log Message:
  -----------
  Cherry-pick 288026@main (a2b811f9d215). 
https://bugs.webkit.org/show_bug.cgi?id=264355

    Content Security Policy for previous load should not apply to subsequent 
alternate HTML load
    https://bugs.webkit.org/show_bug.cgi?id=264355

    Reviewed by Ryan Reno.

    A substitute data load occurs when WebKit decides to load a URL using
    its own web content rather than the website's usual web content. In
    practice, browsers do this when displaying error pages, such as network
    error pages or TLS error pages. Since the web content is controlled by
    the web browser, it is inappropriate to inherit security policy from the
    triggering action.

    This fixes error pages in Epiphany after visiting a website that sets
    CSP. For example, visit https://duckduckgo.com/ then visit
    https://expired.badssl.com/ which should display a TLS error page.
    Before this commit, DuckDuckGo's CSP applies to the error page and
    blocks the lock icon. CSP on other websites may also break Epiphany's
    button for bypassing the certificate error, since the button uses
    JavaScript.

    The new test is written by Patrick Griffis (thank you!).

    * Source/WebCore/loader/DocumentWriter.cpp:
    (WebCore::DocumentWriter::begin):
    * Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebKitWebView.cpp:
    (testWebViewLoadAlternateHTMLFromPageWithCSP):
    (beforeAll):

    Canonical link: https://commits.webkit.org/288026@main

Canonical link: https://commits.webkit.org/282416.380@webkitglib/2.46



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to