Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 00534948835e357313fb11e13bda0e58486df5fc
      
https://github.com/WebKit/WebKit/commit/00534948835e357313fb11e13bda0e58486df5fc
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-06-30 (Tue, 30 Jun 2026)

  Changed paths:
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-expected.txt
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic-expected.txt
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic.html
    A 
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive.html
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

  Log Message:
  -----------


Lowercase CSP directive names eagerly
https://bugs.webkit.org/show_bug.cgi?id=317730
rdar://180530658

Reviewed by Anne van Kesteren.

Lowercase each CSP directive name as soon as it is read, aligning with the 
'Parse a serialized CSP'
section of the CSP Level 3 spec 
(https://flagged.apple.com:443/proxy?t2=DO6k0z2aR3&o=aHR0cHM6Ly93M2MuZ2l0aHViLmlvL3dlYmFwcHNlYy1jc3AvI3BhcnNlLXNlcmlhbGl6ZWQtcG9saWN5&emid=07bec016-8b2d-4fe1-a614-19a400b0d67a&c=11).
The case insensitive name comparisons become plain equality checks, and the 
extra lowercasing in the
reporting path is removed. When an author writes a directive name in some 
casing other than the spec's
lowercase form, it now behaves like the lowercase form.

Test: 
http/tests/security/contentSecurityPolicy/directive-name-case-insensitive.html
     
http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic.html

*
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-expected.txt:
 Added.
* 
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic-expected.txt:
 Added.
* 
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive-strict-dynamic.html:
 Added.
* 
LayoutTests/http/tests/security/contentSecurityPolicy/directive-name-case-insensitive.html:
 Added.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation const):
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::parse):
(WebCore::ContentSecurityPolicyDirectiveList::parseDirective):
(WebCore::ContentSecurityPolicyDirectiveList::addDirective):
*
Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar const):

Canonical link:
https://flagged.apple.com:443/proxy?t2=dJ6K4h7LW2&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE2MTYwQG1haW4=&emid=07bec016-8b2d-4fe1-a614-19a400b0d67a&c=11



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to