Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b4390e8352b7dc2ebbf53659e0ed9c3017b4efd2
https://github.com/WebKit/WebKit/commit/b4390e8352b7dc2ebbf53659e0ed9c3017b4efd2
Author: Charlie Wolfe <[email protected]>
Date: 2026-04-28 (Tue, 28 Apr 2026)
Changed paths:
A
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-import-bypass-expected.txt
A
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-import-bypass.html
A
LayoutTests/http/tests/security/contentSecurityPolicy/resources/module-pass.py
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt
M Source/WebCore/loader/DocumentWriter.cpp
Log Message:
-----------
Fix CSP bypass in sandboxed srcdoc iframes
https://bugs.webkit.org/show_bug.cgi?id=304951
rdar://154201938
Reviewed by Ryan Reno and Pascoe.
Only inherit the policy container from history item during back/forward
navigations. Previously, iframes
without an initial srcdoc attribute could bypass CSP when srcdoc was set
dynamically because they
incorrectly inherited from history instead of from the actual initiator.
Test: http/tests/security/contentSecurityPolicy/iframe-srcdoc-import-bypass.html
*
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-import-bypass-expected.txt:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-import-bypass.html:
Added.
*
LayoutTests/http/tests/security/contentSecurityPolicy/resources/module-pass.py:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt:
* Source/WebCore/loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin):
Originally-landed-as: 305413.3@safari-7624-branch (ffc8c894635c).
rdar://173968774
Canonical link: https://commits.webkit.org/312236@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
