MHTML broken when Content-Security-Policy declared via <meta> element |
|||||||
Issue description
Repro:
1. Launch Chrome with MHTML enabled in Save-Page-As UI by using --save-page-as-mhtml flag (normally it is only enabled on ChromeOS + via extensions + via Offline Pages feature).
2. Open a page that declares CSP directives via <meta> element and embeds one or more child frames from an origin whitelisted via child-src:
<meta http-equiv="Content-Security-Policy"
content="img-src 'self'; child-src 'self'">
3. Save the page from previous step as MHTML
4. Open MHTML in Chrome
Expected behavior: MHTML renders in the same way as the original page
Actual behavior: MHTML cannot open child frames:
Refused to frame 'cid:frame-2-A869839A-6287-4C4B-ADDF-AB62C4AF9FBF@mhtml.blink' because it violates the following Content Security Policy directive: "child-src 'self'
(MHTML uses 'cid:' scheme to link to other MHTML parts - see https://tools.ietf.org/html/rfc2557#section-8.3).
,
Mar 16 2016
+alexmos@
,
Mar 16 2016
,
Mar 23 2016
,
Sep 27 2016
Need to remove the meta tag - potentially part of the MHTML sanitizer project.
,
Sep 29 2016
Same comment as the other bug: removing `<meta>` is a fine workaround as long as MHTML remains inert. If/when it grows an origin and executes script, removing the page's policy is dangerous.
,
Jan 26 2017
Part of MHTML sanitization.
,
Feb 22 2017
,
Feb 23 2017
Comment #7: MHTML as we know it will have to be inert forever... To be used as a 'printout' of a page. If it grows origin trust it'll likely be a different standard.
,
Feb 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6c1dadffa7a8dcb5479c9b259f059de6d99af8b4 commit 6c1dadffa7a8dcb5479c9b259f059de6d99af8b4 Author: jianli <jianli@chromium.org> Date: Mon Feb 27 23:53:47 2017 Do not serialize meta element containing Content-Security-Policy BUG= 595476 TEST=test updated Review-Url: https://codereview.chromium.org/2713663003 Cr-Commit-Position: refs/heads/master@{#453398} [modify] https://crrev.com/6c1dadffa7a8dcb5479c9b259f059de6d99af8b4/third_party/WebKit/Source/web/WebFrameSerializer.cpp [modify] https://crrev.com/6c1dadffa7a8dcb5479c9b259f059de6d99af8b4/third_party/WebKit/Source/web/tests/WebFrameSerializerTest.cpp [modify] https://crrev.com/6c1dadffa7a8dcb5479c9b259f059de6d99af8b4/third_party/WebKit/Source/web/tests/data/frameserialization/remove_elements.html
,
Feb 28 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by lukasza@chromium.org
, Mar 16 2016