Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 01c89d15c3f8e75934784f53bf7816bc6c6fb636
https://github.com/WebKit/WebKit/commit/01c89d15c3f8e75934784f53bf7816bc6c6fb636
Author: Roberto Rodriguez <[email protected]>
Date: 2026-06-15 (Mon, 15 Jun 2026)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-after-redirect.sub-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-after-redirect.sub.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-all-directives.sub-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-all-directives.sub.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-allows-same-origin-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-allows-same-origin.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-blocks-cross-origin.sub-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-blocks-cross-origin.sub.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-via-header-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-via-header.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-multi-directive.sub.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self-and-cross-origin.sub.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self-redirect-target.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-cross-pass.js
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-self-pass.js
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-self-style.css
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-with-csp-header-self.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-with-csp-header-self.html.headers
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Log Message:
-----------
CSP 'self' does not match in opaque-origin http(s) documents
https://bugs.webkit.org/show_bug.cgi?id=316847
rdar://178638597
Reviewed by Ryan Reno.
314912@main introduced a regression where 'self' no longer matches anything in
the CSP of
an http(s) document with an opaque origin (such as one inside an <iframe
sandbox> without
allow-same-origin). Same-origin scripts, styles, images, and nested iframes all
get
refused. WebKit resolves 'self' against the opaque origin (which has no host),
when
per CSP3 2.2.2 it should be using the response URL's origin.
Fix by adding a check in the CSP constructor that when the runtime origin is
opaque and the
URL is http(s) we derive 'self' from m_protectedURL. Non-opaque documents keep
resolving
'self' through their own origin, so opaque local-scheme documents (about:blank,
srcdoc,
blob:, etc.) keep inheriting 'self' from the parent via
Document::initSecurityContext.
Tests:
imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-after-redirect.sub.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-all-directives.sub.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-allows-same-origin.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-blocks-cross-origin.sub.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-via-header.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-multi-directive.sub.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self-and-cross-origin.sub.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self-redirect-target.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self.html
imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-with-csp-header-self.html
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-after-redirect.sub-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-after-redirect.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-all-directives.sub-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-all-directives.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-allows-same-origin-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-allows-same-origin.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-blocks-cross-origin.sub-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-blocks-cross-origin.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-via-header-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/iframe-self-via-header.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-multi-directive.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self-and-cross-origin.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self-redirect-target.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/csp-self.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-cross-pass.js:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-self-pass.js:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-self-style.css:
Added.
(.iframe-self-style-marker):
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-with-csp-header-self.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/support/iframe-with-csp-header-self.html.headers:
Added.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
Canonical link: https://commits.webkit.org/315247@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
