[webkit-changes] [WebKit/WebKit] c82619: CSP: Port upgrade matching should only apply to in...

Mon, 13 Apr 2026 16:52:09 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c82619cff53ac6f2650ce195e821bab699fb82a1
      
https://github.com/WebKit/WebKit/commit/c82619cff53ac6f2650ce195e821bab699fb82a1
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-04-13 (Mon, 13 Apr 2026)

  Changed paths:
    M 
LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number-expected.txt
    M 
LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html
    M LayoutTests/platform/wk2/TestExpectations
    M Source/WebCore/page/csp/ContentSecurityPolicySource.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicySource.h

  Log Message:
  -----------
  CSP: Port upgrade matching should only apply to insecure source schemes
https://bugs.webkit.org/show_bug.cgi?id=308747
rdar://171265255

Reviewed by Brent Fulgham.

A CSP source expression such as "frame-src https://host:80"; incorrectly
matches https://host (port 443). The mismatch (80 ≠ 443) should cause
a block, but WebKit has scheme upgrade logic that treats default ports
as equivalent during http-to-https transitions. This logic does not
verify the source scheme is insecure, so it treats any source with
port 80 as upgradable — even when the source scheme is already HTTPS.

Have schemeMatches() return a SchemeMatchResult enum that distinguishes
exact matches from insecure-to-secure upgrades, and pass this to
portMatches() so the upgrade path only fires when a scheme upgrade is
actually occurring. This also fixes an edge case with schemeless source
expressions. Both functions are annotated with CSP3 spec step references.

* 
LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number-expected.txt:
* 
LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html:
* LayoutTests/platform/wk2/TestExpectations:
* Source/WebCore/page/csp/ContentSecurityPolicySource.cpp:
(WebCore::ContentSecurityPolicySource::portMatches const):

Canonical link: https://commits.webkit.org/311148@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to