Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 2a8526c8f62291c1aad56394bd815d3504f02b03
https://github.com/WebKit/WebKit/commit/2a8526c8f62291c1aad56394bd815d3504f02b03
Author: Ryan Reno <rr...@apple.com>
Date: 2025-08-22 (Fri, 22 Aug 2025)
Changed paths:
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-from-header-report-only-nonce.sub-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-from-header-report-only-nonce.sub.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-from-header-report-only-nonce.sub.html.sub.headers
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-report-only-nonce.sub-expected.txt
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-report-only-nonce.sub.html
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-report-only-nonce.sub.html.sub.headers
A
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/pass.js
M Source/WebCore/html/parser/HTMLResourcePreloader.cpp
Log Message:
-----------
CSP: Link header with rel=preload does not recognize nonces
https://bugs.webkit.org/show_bug.cgi?id=222484
rdar://75060055
Reviewed by Ryosuke Niwa.
Erroneous CSP violations can happen if a CSP report-only header has a nonce and
we attempt a preload
that contains the nonce.
When building a preload request we aren't copying the nonce from the link
header or element's
nonce attribute into the fetch options we use when creating the resource
request. So later when
the loader tries to validate we're allowed to do the load there's no nonce to
check against and we
can trip over a Content-Security-Policy-Report-Only header and generate an
erroneous violation report.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-from-header-report-only-nonce.sub-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-from-header-report-only-nonce.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-from-header-report-only-nonce.sub.html.sub.headers:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-report-only-nonce.sub-expected.txt:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-report-only-nonce.sub.html:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/link-preload-report-only-nonce.sub.html.sub.headers:
Added.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/support/pass.js:
Added.
* Source/WebCore/html/parser/HTMLResourcePreloader.cpp:
(WebCore::PreloadRequest::resourceRequest):
Canonical link: https://commits.webkit.org/299070@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
