Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 00534948835e357313fb11e13bda0e58486df5fc
https://github.com/WebKit/WebKit/commit/00534948835e357313fb11e13bda0e58486df5fc
Author: Roberto Rodriguez <[email protected]>
Date: 2026-06-30 (Tue, 30 Jun 2026)
Changed paths:
A
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic.html
A
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive.html
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
M Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp
Log Message:
-----------
Lowercase CSP directive names eagerly
https://bugs.webkit.org/show_bug.cgi?id=317730
rdar://180530658
Reviewed by Anne van Kesteren.
Lowercase each CSP directive name as soon as it is read, aligning with the
'Parse a serialized CSP'
section of the CSP Level 3 spec
(https://flagged.apple.com:443/proxy?t2=DO6k0z2aR3&o=aHR0cHM6Ly93M2MuZ2l0aHViLmlvL3dlYmFwcHNlYy1jc3AvI3BhcnNlLXNlcmlhbGl6ZWQtcG9saWN5&emid=07bec016-8b2d-4fe1-a614-19a400b0d67a&c=11).
The case insensitive name comparisons become plain equality checks, and the
extra lowercasing in the
reporting path is removed. When an author writes a directive name in some
casing other than the spec's
lowercase form, it now behaves like the lowercase form.
Test:
http/tests/security/contentSecurityPolicy/directive-name-case-insensitive.html
http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic.html
*
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic.html:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive.html:
Added.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation const):
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::parse):
(WebCore::ContentSecurityPolicyDirectiveList::parseDirective):
(WebCore::ContentSecurityPolicyDirectiveList::addDirective):
*
Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar const):
Canonical link:
https://flagged.apple.com:443/proxy?t2=dJ6K4h7LW2&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE2MTYwQG1haW4=&emid=07bec016-8b2d-4fe1-a614-19a400b0d67a&c=11
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications