New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 595486 link

Starred by 2 users
Status: WontFix
Owner:
dim...@chromium.org
Last visit > 30 days ago
Closed: Sep 2016
Cc:
mkwst@chromium.org
dim...@chromium.org
est...@chromium.org
alex...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Content-Security-Policy header "disappears" after Save-Page-As

Project Member Reported by lukasza@chromium.org, Mar 16 2016 
Right now HTML serializers in Blink (the one for MHTML and the one for HTML) do not persist Content-Security-Policy header from http headers.  Is that a problem? (i.e. content that used to be blocked by CSP when looking at a page via http will no longer be blocked after saving the page and opening it via file: scheme - is that okay [given that the origin of the page is different from what it was originally / via http]?)

Note that there is a (single...) precedent where HTML serializers preserve some <meta http-equiv ...> tags - ones for character encoding.  Potentially something similar could be done for Content-Security-Policy.

Comment 1 by lukasza@chromium.org, Mar 16 2016

Cc: alex...@chromium.org mkwst@chromium.org dim...@chromium.org est...@chromium.org
Mike, I wonder if you could triage severity of this bug.  I assume that it is a well known and accepted issue that http headers get dropped when reopening after saving to a local filesystem.  OTOH, I wanted to double-check with you in case this is something that we might want (need?) to prevent.

Comment 2 by dim...@chromium.org, Mar 16 2016

Owner: dim...@chromium.org
I can take this until it's fixed. the plan so far is to block certain types of access from mhtml-loaded document. See  bug 586034  for more details.

Comment 3 by dim...@chromium.org, Mar 16 2016

Components: UI>Browser>Offline

Comment 4 by fgor...@chromium.org, Mar 23 2016

Status: Assigned (was: Untriaged)

Comment 5 by dim...@chromium.org, Sep 27 2016

Status: WontFix (was: Assigned)
THis works as intended. The CSP headers are used during load and resulting DOM reflects that. The MHTML snapshot is a static 'printout' of the page and does not re-interpret nor loads additional resources when loaded.

Comment 6 by mkwst@chromium.org, Sep 29 2016 

dimich@: This is fine as long as the MHTML file is neutered and inert. If/when you plan to revitalize MHTML by giving it an origin and allowing script execution, you'll need to persist the security headers like CSP that govern script execution.

Sign in to add a comment