Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 08a2933c1c9bfd9a1e0a51700620bebc2a87ad96
https://github.com/WebKit/WebKit/commit/08a2933c1c9bfd9a1e0a51700620bebc2a87ad96
Author: Charlie Wolfe <[email protected]>
Date: 2026-06-23 (Tue, 23 Jun 2026)
Changed paths:
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/meta-element.sub-expected.txt
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
Log Message:
-----------
Inherited policy should not re-apply a meta-delivered sandbox directive
https://bugs.webkit.org/show_bug.cgi?id=317436
rdar://180062669
Reviewed by Ryan Reno.
`sandbox` is required to be removed from CSP delivered via <meta http-equiv>
before enforcement:
https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy
We ignored the directive for the meta-hosting document, but preserved it in the
serialized policy.
When inherited by about:blank, it was reparsed and enforced, incorrectly giving
the child an opaque
origin.
Drop the sandbox directive when reparsing an inherited policy. So a
header-delivered sandbox is
still inherited, carry the parent's already-resolved sandbox flags forward in
copyStateFrom(),
mirroring upgrade-insecure-requests.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/meta-element.sub-expected.txt:
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::parse):
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom):
Canonical link: https://commits.webkit.org/315702@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications