New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 240058 link

Starred by 6 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Oct 4
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

CSP 'object-src' directive should correctly handle redirects.

Project Member Reported by mkwst@chromium.org, May 11 2013

Issue description

Migrated from WebKit Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=97030
Originally reported 2012-09-18 11:18 PST by Mike West (mkwst@chromium.org).


Description:
CSP 'object-src' directive should correctly handle redirects.



Attachments:
2012-09-18 11:19 PST: Patch [https://bugs.webkit.org/attachment.cgi?id=164588&action=prettypatch]



Comments:
================================

Comment #1
Posted on 2012-09-18 11:19:02 PST by Mike West (mkwst@chromium.org)

Created an attachment (id=164588) [https://bugs.webkit.org/attachment.cgi?id=164588] [details] [https://bugs.webkit.org/attachment.cgi?id=164588&action=edit]
Patch

================================

Comment #2
Posted on 2012-09-18 11:27:38 PST by Mike West (mkwst@chromium.org)

I dislike plugins.

It looks like we're mishandling plugins loaded via redirect. I'm pretty sure that the attached test should block the plugin's final URL, but it doesn't. I've dug through a bit of plugin-loading loading code, but it quickly falls into platform specific messiness.

So, I'll hopefully ask you folks: is there a point inside WebKit where we can make the CSP check? If not, can you help me track down where the plugin actually gets loaded so that I can add the proper hooks (or come up with some crazy delegate structure)?

Thanks!

================================

Comment #3
Posted on 2012-09-19 11:10:43 PST by Adam Barth (abarth@webkit.org)

This bug is going to be hard to fix.  Plugin loading works in a very port-specific manner.  I'd be inclined not to worry about this bug for a while.

================================

Comment #4
Posted on 2012-09-20 01:55:41 PST by Mike West (mkwst@chromium.org)

(In reply to comment #3 [https://bugs.webkit.org/show_bug.cgi?id=97030#c3])
> This bug is going to be hard to fix.  Plugin loading works in a very port-specific manner.  I'd be inclined not to worry about this bug for a while.

I'd be less concerned about it if we were talking about fonts or something otherwise mostly benign. I don't really like having a bug in object whitelisting. *shrug* That said, I agree that it's going to be a pain to fix. :)

================================

Comment #5
Posted on 2013-02-07 11:00:45 PST by Mike West (mkwst@chromium.org)

Unassigning myself; let's be realistic about what I'm actually working on. :/
 

Comment 1 by mkwst@chromium.org, May 11 2013

Porting this from the WebKit bugzilla.

Adam, is this any easier to tackle now that we're not concerned with port-specific behavior, but only Chromium's?

Comment 2 by abarth@chromium.org, May 13 2013

Probably.  I haven't studied the issue in detail.  We'd need to figure out how we load this data and whether there's a notification pathway for redirects.
Project Member

Comment 3 by bugdroid1@chromium.org, May 20 2013

Labels: -WebKit-ID-97030 WebKit-ID-97030-NEW
https://bugs.webkit.org/show_bug.cgi?id=97030

Components: -Blink Blink>SecurityFeature

Comment 5 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 6 by mkwst@chromium.org, Jan 17 2018

Cc: -bauerb@chromium.org -abarth@chromium.org
Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Owner: andypaicu@chromium.org
Not sure if this is still an issue. Andy?

Comment 7 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1

commit a2068f8c0ba01fab688943a06bc8b3476ca4d3f1
Author: Andy Paicu <andypaicu@chromium.org>
Date: Thu Oct 04 14:37:19 2018

Fixed object-src tests

As part of checking if the linked bug is still an issue, I have taken
the opportunity to fix the current mostly non-sensical tests.

Bug:  240058 
Change-Id: I716d43d38be6dd161aa0437dbda03f2c77eb6d88
Reviewed-on: https://chromium-review.googlesource.com/c/1225886
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#596662}
[modify] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/TestExpectations
[delete] https://crrev.com/6a72ecb118e3b180d8f064373f5129204072afea/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-2_1.html
[delete] https://crrev.com/6a72ecb118e3b180d8f064373f5129204072afea/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-2_1.html.sub.headers
[delete] https://crrev.com/6a72ecb118e3b180d8f064373f5129204072afea/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-2_2.html
[delete] https://crrev.com/6a72ecb118e3b180d8f064373f5129204072afea/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-2_2.html.sub.headers
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-no-url-allowed.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-no-url-allowed.html.sub.headers
[delete] https://crrev.com/6a72ecb118e3b180d8f064373f5129204072afea/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-no-url-allowed.sub.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-no-url-blocked.html
[delete] https://crrev.com/6a72ecb118e3b180d8f064373f5129204072afea/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-no-url-blocked.sub.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-allowed.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-allowed.html.sub.headers
[delete] https://crrev.com/6a72ecb118e3b180d8f064373f5129204072afea/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-allowed.sub.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-blocked.html
[delete] https://crrev.com/6a72ecb118e3b180d8f064373f5129204072afea/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-blocked.sub.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-embed-allowed.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-embed-allowed.html.sub.headers
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-embed-blocked.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-redirect-allowed.html
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-redirect-allowed.html.sub.headers
[add] https://crrev.com/a2068f8c0ba01fab688943a06bc8b3476ca4d3f1/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/object-src/object-src-url-redirect-blocked.sub.html

Status: Fixed (was: Assigned)
Not an issue anymore but I took this opportunity to fix object-src tests and a redirect case.

Sign in to add a comment