Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c6228aba1c0fe9fe956dbd7315d585715d88328b
https://github.com/WebKit/WebKit/commit/c6228aba1c0fe9fe956dbd7315d585715d88328b
Author: Roberto Rodriguez <[email protected]>
Date: 2026-05-08 (Fri, 08 May 2026)
Changed paths:
M
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-embed-blocked-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-embed-blocked.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-blocked-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-blocked.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-embed-blocked-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-embed-blocked.html
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h
M Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp
M Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h
Log Message:
-----------
CSP object-src with an empty source list should block plugin elements without
a data/src attribute
https://bugs.webkit.org/show_bug.cgi?id=308775
rdar://171298717
Reviewed by Brent Fulgham.
When an <object> or <embed> element has no data/src attribute, WebKit
previously passed an empty URL
to the CSP check with special-case logic that only blocked for the literal
'none' keyword. An empty
source list (object-src;) was incorrectly allowed despite being equivalent to
'none' per CSP Level 3 §6.7.2.7.
Remove the special-case handling from §6.1.9 entirely. Instead, use the
document's own URL as a fallback for source list
matching when the element has no associated URL. The document URL will
naturally fail to match empty source lists
and 'none' (blocked), but will match 'self' or wildcard (allowed).
Tests:
imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-embed-blocked.html
imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-blocked.html
imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-embed-blocked.html
*
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt:
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-embed-blocked-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-embed-blocked.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-blocked-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-blocked.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-embed-blocked-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/object-src/object-src-no-url-empty-source-list-embed-blocked.html:
Added.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowObjectFromSource const):
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::checkSource):
(WebCore::checkFrameAncestors):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource
const):
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h:
* Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp:
(WebCore::ContentSecurityPolicySourceListDirective::allows):
* Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h:
Canonical link: https://commits.webkit.org/312899@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
