[webkit-changes] [WebKit/WebKit] 3ac584: Fix CSP 'self' source matching for opaque-origin d...

Wed, 10 Jun 2026 10:34:39 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3ac584d8fd7978a2c2751862e80687e982b5f9f7
      
https://github.com/WebKit/WebKit/commit/3ac584d8fd7978a2c2751862e80687e982b5f9f7
  Author: Roberto Rodriguez <[email protected]>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    A 
LayoutTests/http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc-expected.txt
    A 
LayoutTests/http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc.html
    M 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicySource.cpp

  Log Message:
  -----------
  Fix CSP 'self' source matching for opaque-origin documents
https://bugs.webkit.org/show_bug.cgi?id=308756
rdar://171275989

Reviewed by Ryan Reno.

WebKit fails to enforce base-uri 'self' inside sandboxed srcdoc iframes
because the origin that 'self' resolves to (inherited from the parent)
gets reset to the opaque origin when a <meta> CSP tag is processed, and
schemeMatches() incorrectly allows HTTPS URLs to match when that origin
has an empty scheme (opaque origins lack scheme/host/port tuple fields).

Preserve the inherited self-origin for opaque-origin documents by
skipping updateSourceSelf() when the security origin is opaque. Guard
the 'self' scheme upgrade in schemeMatches() to require a non-empty
scheme, preventing any URL from matching an opaque 'self'.

Test: 
http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc.html

* 
LayoutTests/http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc-expected.txt:
 Added.
* 
LayoutTests/http/wpt/content-security-policy/base-uri/base-uri-self-sandboxed-srcdoc.html:
 Added.
* 
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/sandbox-iframe-expected.txt:
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext):
* Source/WebCore/page/csp/ContentSecurityPolicySource.cpp:
(WebCore::ContentSecurityPolicySource::schemeMatches const):

Originally-landed-as: 305413.582@rapid/safari-7624.2.5.110-branch 
(8ed9a1e4e1e0). rdar://176062356
Canonical link: https://commits.webkit.org/314912@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to