Dynamically added CSP not respected for preloaded resource discovery
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: noam.j.rosenthal, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-low, Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Steps to reproduce:
- Preload an image using <link rel=preload>
- Add a CSP <meta> tag to disable images
- Added an image that matches the preloaded link
See https://github.com/web-platform-tests/wpt/pull/33109
Actual results:
The image was loaded
Expected results:
The image should have been blocked by CSP.
This is also the behavior on WebKit/Chromium.
Reporter | ||
Comment 1•2 years ago
|
||
See Fetch PR to make this explicit in the spec: https://github.com/whatwg/fetch/pull/1411
Comment 2•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 3•2 years ago
|
||
Why is there a WPT test already if the spec has not actually been updated yet? We agree with this intent, but the process seems way ahead of itself.
Reporter | ||
Comment 4•2 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3)
Why is there a WPT test already if the spec has not actually been updated yet? We agree with this intent, but the process seems way ahead of itself.
The WPT and spec change are both PRs pending consensus.
Merging a spec PRs requires WPTs and implementation bugs to be filed.
What would you suggest to do differently?
Updated•2 years ago
|
Description
•