Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 08a2933c1c9bfd9a1e0a51700620bebc2a87ad96
      
https://github.com/WebKit/WebKit/commit/08a2933c1c9bfd9a1e0a51700620bebc2a87ad96
  Author: Charlie Wolfe <[email protected]>
  Date:   2026-06-23 (Tue, 23 Jun 2026)

  Changed paths:
    M 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/meta-element.sub-expected.txt
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

  Log Message:
  -----------
  Inherited policy should not re-apply a meta-delivered sandbox directive
https://bugs.webkit.org/show_bug.cgi?id=317436
rdar://180062669

Reviewed by Ryan Reno.

`sandbox` is required to be removed from CSP delivered via <meta http-equiv> 
before enforcement:
https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy

We ignored the directive for the meta-hosting document, but preserved it in the 
serialized policy.
When inherited by about:blank, it was reparsed and enforced, incorrectly giving 
the child an opaque
origin.

Drop the sandbox directive when reparsing an inherited policy. So a 
header-delivered sandbox is
still inherited, carry the parent's already-resolved sandbox flags forward in 
copyStateFrom(),
mirroring upgrade-insecure-requests.

* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/meta-element.sub-expected.txt:
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::parse):
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom):

Canonical link: https://commits.webkit.org/315702@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to