Skip to site navigation (Press enter)
[webkit-changes] [WebKit/WebKit] 705349: blob: URLs are allowed in
s when CSP’s `fr...</span></a></span> </h1> <p class="darkgray font13"> <span class="sender pipe"><a href="/search?l=webkit-changes@lists.webkit.org&q=from:%22Roberto+Rodriguez%22" rel="nofollow"><span itemprop="author" itemscope itemtype="http://schema.org/Person"><span itemprop="name">Roberto Rodriguez</span></span></a></span> <span class="date"><a href="/search?l=webkit-changes@lists.webkit.org&q=date:20260319" rel="nofollow">Thu, 19 Mar 2026 09:47:26 -0700</a></span> </p> </div> <div itemprop="articleBody" class="msgBody"> <!--X-Body-of-Message--> <pre> Branch: refs/heads/main Home: <a rel="nofollow" href="https://github.com/WebKit/WebKit">https://github.com/WebKit/WebKit</a> Commit: 70534942aada5b6edcf5ac964c4237fee89ae082 <a rel="nofollow" href="https://github.com/WebKit/WebKit/commit/70534942aada5b6edcf5ac964c4237fee89ae082">https://github.com/WebKit/WebKit/commit/70534942aada5b6edcf5ac964c4237fee89ae082</a> Author: Roberto Rodriguez <roberto_rodrigu...@apple.com> Date: 2026-03-19 (Thu, 19 Mar 2026)</pre><pre> Changed paths: A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-blob-matches-blob.sub-expected.txt A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-blob-matches-blob.sub.html A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-self-does-not-match-blob.sub-expected.txt A LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-self-does-not-match-blob.sub.html M Source/WebCore/page/csp/ContentSecurityPolicy.cpp M Source/WebCore/page/csp/ContentSecurityPolicy.h M Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp Log Message: ----------- blob: URLs are allowed in <iframe>s when CSP’s `frame-src` contains `‘self’`. <a rel="nofollow" href="https://bugs.webkit.org/show_bug.cgi?id=308752">https://bugs.webkit.org/show_bug.cgi?id=308752</a> rdar://171268629 Reviewed by Ryan Reno. Remove the frame-src + blob: URL special case in urlMatchesSelf() that extracts the blob: URL's creator origin and passes it through 'self' matching. While §6.7.2.8 step 4.1 of the CSP spec (<a rel="nofollow" href="https://w3c.github.io/webappsec-csp/#match-url-to-source-expression">https://w3c.github.io/webappsec-csp/#match-url-to-source-expression</a>) compares origins - for which a blob: URL is evaluated with creator's origin - this is a known spec bug (github.com/w3c/webappsec-csp/issues/487). Tests: imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-blob-matches-blob.sub.html imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-self-does-not-match-blob.sub.html * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-blob-matches-blob.sub-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-blob-matches-blob.sub.html: Added. * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-self-does-not-match-blob.sub-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/frame-src-self-does-not-match-blob.sub.html: Added. * Source/WebCore/page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::urlMatchesSelf const): * Source/WebCore/page/csp/ContentSecurityPolicy.h: * Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp: (WebCore::ContentSecurityPolicySourceList::matches const): Canonical link: <a rel="nofollow" href="https://commits.webkit.org/309559@main">https://commits.webkit.org/309559@main</a> To unsubscribe from these emails, change your notification settings at <a rel="nofollow" href="https://github.com/WebKit/WebKit/settings/notifications">https://github.com/WebKit/WebKit/settings/notifications</a> </pre> </div> <div class="msgButtons margintopdouble"> <ul class="overflow"> <li class="msgButtonItems"><a class="button buttonleft " accesskey="p" href="msg246043.html">Previous message</a></li> <li class="msgButtonItems textaligncenter"><a class="button" accesskey="c" href="index.html#246044">View by thread</a></li> <li class="msgButtonItems textaligncenter"><a class="button" accesskey="i" href="maillist.html#246044">View by date</a></li> <li class="msgButtonItems textalignright"><a class="button buttonright " accesskey="n" href="msg246045.html">Next message</a></li> </ul> </div> <a name="tslice"></a> <div class="tSliceList margintopdouble"> <ul class="icons monospace"> </ul> </div> <div class="overflow msgActions margintopdouble"> <div class="msgReply" > <h2> Reply via email to </h2> <form method="POST" action="/mailto.php"> <input type="hidden" name="subject" value="[webkit-changes] [WebKit/WebKit] 705349: blob: URLs are allowed in <iframe>s when CSP’s `fr..."> <input type="hidden" name="msgid" value="WebKit/WebKit/push/refs/heads/main/ef0549-705349@github.com"> <input type="hidden" name="relpath" value="webkit-changes@lists.webkit.org/msg246044.html"> <input type="submit" value=" Roberto Rodriguez "> </form> </div> </div> </div> <div class="aside" role="complementary"> <div class="logo"> <a href="/"><img src="/logo.png" width=247 height=88 alt="The Mail Archive"></a> </div> <form class="overflow" action="/search" method="get"> <input type="hidden" name="l" value="webkit-changes@lists.webkit.org"> <label class="hidden" for="q">Search the site</label> <input class="submittext" type="text" id="q" name="q" placeholder="Search webkit-changes"> <input class="submitbutton" name="submit" type="image" src="/submit.png" alt="Submit"> </form> <div class="nav margintop" id="nav" role="navigation"> <ul class="icons font16"> <li class="icons-home"><a href="/">The Mail Archive home</a></li> <li class="icons-list"><a href="/webkit-changes@lists.webkit.org/">webkit-changes - all messages</a></li> <li class="icons-about"><a href="/webkit-changes@lists.webkit.org/info.html">webkit-changes - about the list</a></li> <li class="icons-expand"><a href="/search?l=webkit-changes@lists.webkit.org&q=subject:%22%5C%5Bwebkit%5C-changes%5C%5D+%5C%5BWebKit%5C%2FWebKit%5C%5D+705349%5C%3A+blob%5C%3A+URLs+are+allowed+in+%3Ciframe%3Es+when+CSP%E2%80%99s+%60fr...%22&o=newest&f=1" title="e" id="e">Expand</a></li> <li class="icons-prev"><a href="msg246043.html" title="p">Previous message</a></li> <li class="icons-next"><a href="msg246045.html" title="n">Next message</a></li> </ul> </div> <div class="listlogo margintopdouble"> </div> <div class="margintopdouble"> </div> </div> </div> <div class="footer" role="contentinfo"> <ul> <li><a href="/">The Mail Archive home</a></li> <li><a href="/faq.html#newlist">Add your mailing list</a></li> <li><a href="/faq.html">FAQ</a></li> <li><a href="/faq.html#support">Support</a></li> <li><a href="/faq.html#privacy">Privacy</a></li> <li class="darkgray">WebKit/WebKit/push/refs/heads/main/ef0549-705349@github.com</li> </ul> </div> </body> </html> <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'9df8369a0a950d7f',t:'MTc3NDA0NjM3MA=='};var a=document.createElement('script');a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script>