[webkit-changes] [WebKit/WebKit] f8ed38: Fix CSP policy loss in blob: URL inheritance when ...

Wed, 10 Jun 2026 22:16:37 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f8ed382fb244cc24f40767858ae369267075bd9a
      
https://github.com/WebKit/WebKit/commit/f8ed382fb244cc24f40767858ae369267075bd9a
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-inherits-multiple-csp-policies-expected.txt
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-inherits-multiple-csp-policies.html
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/resources/create-blob-iframe.js
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-csp-blob-iframe.py
    M 
LayoutTests/imported/w3c/web-platform-tests/trusted-types/inheriting-csp-for-local-schemes-expected.txt
    M Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp

  Log Message:
  -----------
  Fix CSP policy loss in blob: URL inheritance when page sends multiple CSP 
headers
https://bugs.webkit.org/show_bug.cgi?id=308906
rdar://168927377

Reviewed by Anne van Kesteren.

A page with two or more CSP headers correctly enforces those policies on
itself, but blob: URLs it creates only see the last one. The policies
are correctly captured in the policy container, but
ContentSecurityPolicyResponseHeaders::addPolicyHeadersTo() writes them
to the blob response using ResourceResponse::setHTTPHeaderField(), which
overwrites policies rather than appending them together.

Change to use ResourceResponse::addHTTPHeaderField() which
comma-concatenates the values and preserves all CSP policies.

Test: 
http/tests/security/contentSecurityPolicy/blob-url-inherits-multiple-csp-policies.html

* 
LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-inherits-multiple-csp-policies-expected.txt:
 Added.
* 
LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-inherits-multiple-csp-policies.html:
 Added.
* 
LayoutTests/http/tests/security/contentSecurityPolicy/resources/create-blob-iframe.js:
 Added.
* 
LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-csp-blob-iframe.py:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/trusted-types/inheriting-csp-for-local-schemes-expected.txt:
* Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp:
(WebCore::ContentSecurityPolicyResponseHeaders::addPolicyHeadersTo const):

Originally-landed-as: 305413.385@rapid/safari-7624.2.5.110-branch 
(a90148642299). rdar://176066951
Canonical link: https://commits.webkit.org/314996@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to