[webkit-changes] [WebKit/WebKit] 933deb: Propagate CSP directives from the creating documen...

Sun, 14 Jun 2026 16:55:37 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 933debd495d6ece891099cbe8e0f040afa5a4357
      
https://github.com/WebKit/WebKit/commit/933debd495d6ece891099cbe8e0f040afa5a4357
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-06-14 (Sun, 14 Jun 2026)

  Changed paths:
    M 
LayoutTests/imported/w3c/web-platform-tests/worklets/audio-worklet-csp.https-expected.txt
    M LayoutTests/platform/glib/TestExpectations
    A 
LayoutTests/security/contentSecurityPolicy/audioworklet-inherits-allows-eval-expected.txt
    A 
LayoutTests/security/contentSecurityPolicy/audioworklet-inherits-allows-eval.html
    A 
LayoutTests/security/contentSecurityPolicy/audioworklet-inherits-blocks-eval-expected.txt
    A 
LayoutTests/security/contentSecurityPolicy/audioworklet-inherits-blocks-eval.html
    A 
LayoutTests/security/contentSecurityPolicy/resources/audioworklet-inherits-allows-eval.js
    A 
LayoutTests/security/contentSecurityPolicy/resources/audioworklet-inherits-blocks-eval.js
    M Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
    M Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp
    M Source/WebCore/bindings/js/WorkerModuleScriptLoader.cpp
    M Source/WebCore/loader/FetchOptions.h
    M Source/WebCore/workers/WorkerGlobalScope.cpp
    M Source/WebCore/workers/WorkerGlobalScope.h
    M Source/WebCore/workers/WorkerOrWorkletGlobalScope.cpp
    M Source/WebCore/workers/WorkerOrWorkletGlobalScope.h
    M Source/WebCore/worklets/PaintWorkletGlobalScope.cpp
    M Source/WebCore/worklets/WorkletParameters.h
    M Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp

  Log Message:
  -----------
  Propagate CSP directives from the creating document to WorkletGlobalScope
https://bugs.webkit.org/show_bug.cgi?id=309004
rdar://170500592

Reviewed by Ryan Reno.

WorkletGlobalScope is initialized with an empty ContentSecurityPolicy,
so CSP restrictions like blocking eval() are not enforced inside
AudioWorklet or PaintWorklet.

Fix by moving WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders()
up to WorkerOrWorkletGlobalScope base class, adding the document's CSP
response headers to WorkletParameters and applying them in
AudioWorkletGlobalScope/PaintWorkletGlobalScope::tryCreate().

Fix CSP directive selection for worklet module fetches, which were
incorrectly checked against worker-src instead of script-src.

Tests: security/contentSecurityPolicy/audioworklet-inherits-allows-eval.html
       security/contentSecurityPolicy/audioworklet-inherits-blocks-eval.html

* 
LayoutTests/imported/w3c/web-platform-tests/worklets/audio-worklet-csp.https-expected.txt:
* LayoutTests/platform/glib/TestExpectations:
* 
LayoutTests/security/contentSecurityPolicy/audioworklet-inherits-allows-eval-expected.txt:
 Added.
* 
LayoutTests/security/contentSecurityPolicy/audioworklet-inherits-allows-eval.html:
 Added.
* 
LayoutTests/security/contentSecurityPolicy/audioworklet-inherits-blocks-eval-expected.txt:
 Added.
* 
LayoutTests/security/contentSecurityPolicy/audioworklet-inherits-blocks-eval.html:
 Added.
* 
LayoutTests/security/contentSecurityPolicy/resources/audioworklet-inherits-allows-eval.js:
 Added.
(EvalTestProcessor):
(EvalTestProcessor.prototype.process):
* 
LayoutTests/security/contentSecurityPolicy/resources/audioworklet-inherits-blocks-eval.js:
 Added.
(EvalTestProcessor):
(EvalTestProcessor.prototype.process):
* Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp:
(WebCore::AudioWorkletGlobalScope::tryCreate):
* Source/WebCore/Modules/webaudio/AudioWorkletMessagingProxy.cpp:
(WebCore::generateWorkletParameters):
* Source/WebCore/bindings/js/WorkerModuleScriptLoader.cpp:
(WebCore::WorkerModuleScriptLoader::load):
* Source/WebCore/loader/FetchOptions.h:
(WebCore::isWorkletDestination):
(WebCore::isScriptLikeDestination):
* Source/WebCore/workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): 
Deleted.
* Source/WebCore/workers/WorkerGlobalScope.h:
* Source/WebCore/workers/WorkerOrWorkletGlobalScope.cpp:
(WebCore::WorkerOrWorkletGlobalScope::applyContentSecurityPolicyResponseHeaders):
* Source/WebCore/workers/WorkerOrWorkletGlobalScope.h:
* Source/WebCore/worklets/PaintWorkletGlobalScope.cpp:
(WebCore::PaintWorkletGlobalScope::tryCreate):
* Source/WebCore/worklets/WorkletParameters.h:
(WebCore::WorkletParameters::isolatedCopy const):
(WebCore::WorkletParameters::isolatedCopy):
* Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp:
(WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):

Originally-landed-as: 305413.406@rapid/safari-7624.2.5.110-branch 
(95fd4539c956). rdar://176067205
Canonical link: https://commits.webkit.org/315193@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to