85233 2012-04-30 14:21:52 -0700 CSP shouldn't block about:blank for iframes 2012-05-04 10:41:39 -0700 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 53572 1 webkit.review.bot abarth abarth darin eric mkwst oldest_to_newest 612947 0 webkit.review.bot 2012-04-30 14:21:52 -0700 CSP shouldn't block about:blank for iframes Requested by abarth on #webkit. 615724 1 140115 abarth 2012-05-03 15:48:57 -0700 Created attachment 140115 Patch 615740 2 mkwst 2012-05-03 16:00:16 -0700 It might be preferable to check that the URL is, in fact, `about:blank`, rather than allowing anything under `about:`. I know Chromium redirects to `chrome://`, and Safari doesn't do anything dangerous, but perhaps some other port exposes something interesting under `about:*`? 615744 3 abarth 2012-05-03 16:04:21 -0700 WebKit treats all "about" URLs as about:blank. The redirect you see in Chrome takes place before the URL gets to WebKit. :) 615752 4 140115 eric 2012-05-03 16:14:21 -0700 Comment on attachment 140115 Patch about:banana! 615779 5 140115 webkit.review.bot 2012-05-03 16:38:33 -0700 Comment on attachment 140115 Patch Rejecting attachment 140115 from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: git/webkit-commit-queue/Source/WebKit/chromium/ui --revision 134581 --non-interactive --force --accept theirs-conflict --ignore-externals' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' 46>At revision 134581. ________ running '/usr/bin/python tools/clang/scripts/update.py --mac-only' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' ________ running '/usr/bin/python gyp_webkit' in '/mnt/git/webkit-commit-queue/Source/WebKit/chromium' Updating webkit projects from gyp files... Full output: http://queues.webkit.org/results/12620267 615842 6 140115 webkit.review.bot 2012-05-03 17:52:34 -0700 Comment on attachment 140115 Patch Clearing flags on attachment: 140115 Committed r116052: <http://trac.webkit.org/changeset/116052> 615844 7 webkit.review.bot 2012-05-03 17:52:46 -0700 All reviewed patches have been landed. Closing bug. 616373 8 darin 2012-05-04 10:26:22 -0700 It’d be nicer if the “blank URL protocol” was something we got from KURL.h along with blankURL() instead of being a hard-coded string "about". 616394 9 abarth 2012-05-04 10:41:39 -0700 I've filed https://bugs.webkit.org/show_bug.cgi?id=85641 about changing the idiom. 140115 2012-05-03 15:48:57 -0700 2012-05-03 17:52:34 -0700 Patch bug-85233-20120503154855.patch text/plain 4312 abarth SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDExNjAzMCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIxIEBACisyMDEyLTA1LTAzICBBZGFtIEJh cnRoICA8YWJhcnRoQHdlYmtpdC5vcmc+CisKKyAgICAgICAgQ1NQIHNob3VsZG4ndCBibG9jayBh Ym91dDpibGFuayBmb3IgaWZyYW1lcworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9z aG93X2J1Zy5jZ2k/aWQ9ODUyMzMKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMh KS4KKworICAgICAgICBBcyBkaXNjdXNzZWQgYXQgdGhlIFczQyBXZWJBcHBTZWMgZmFjZS10by1m YWNlIG1lZXRpbmcsIHRoZXJlJ3Mgbm8KKyAgICAgICAgcG9pbnQgaW4gYmxvY2tpbmcgYWJvdXQ6 YmxhbmsgaWZyYW1lcyBvciBvYmplY3RzIGJlY2F1c2UgYmxvY2tpbmcgYQorICAgICAgICBmcmFt ZSBvciBvYmplY3QganVzdCByZXN1bHRzIGluIGRpc3BsYXlpbmcgYWJvdXQ6YmxhbmsgYW55d2F5 LiAgVGhpcworICAgICAgICBwYXRjaCBqdXN0IHJlbW92ZXMgdGhlIHNwdXJpb3VzIGNvbnNvbGUg bWVzc2FnZSBhbmQgdmlvbGF0aW9uIHJlcG9ydC4KKworICAgICAgICBUZXN0OiBodHRwL3Rlc3Rz L3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9mcmFtZS1zcmMtYWJvdXQtYmxhbmstYWxs b3dlZC1ieS1kZWZhdWx0Lmh0bWwKKworICAgICAgICAqIHBhZ2UvQ29udGVudFNlY3VyaXR5UG9s aWN5LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkNvbnRlbnRTZWN1cml0eVBvbGljeTo6YWxsb3dP YmplY3RGcm9tU291cmNlKToKKyAgICAgICAgKFdlYkNvcmU6OkNvbnRlbnRTZWN1cml0eVBvbGlj eTo6YWxsb3dDaGlsZEZyYW1lRnJvbVNvdXJjZSk6CisKIDIwMTItMDUtMDMgIFBoaWxpcCBSb2dl cnMgIDxwZHJAZ29vZ2xlLmNvbT4KIAogICAgICAgICBGaXggbnVtZXJpYyBwcmVjaXNpb24gaXNz dWUgaW4gU1ZHIGFuaW1hdGlvbnMKSW5kZXg6IFNvdXJjZS9XZWJDb3JlL3BhZ2UvQ29udGVudFNl Y3VyaXR5UG9saWN5LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9wYWdlL0NvbnRl bnRTZWN1cml0eVBvbGljeS5jcHAJKHJldmlzaW9uIDExNjAwMCkKKysrIFNvdXJjZS9XZWJDb3Jl L3BhZ2UvQ29udGVudFNlY3VyaXR5UG9saWN5LmNwcAkod29ya2luZyBjb3B5KQpAQCAtNjQxLDEy ICs2NDEsMTYgQEAgYm9vbCBDb250ZW50U2VjdXJpdHlQb2xpY3k6OmFsbG93U2NyaXB0RgogYm9v bCBDb250ZW50U2VjdXJpdHlQb2xpY3k6OmFsbG93T2JqZWN0RnJvbVNvdXJjZShjb25zdCBLVVJM JiB1cmwpIGNvbnN0CiB7CiAgICAgREVGSU5FX1NUQVRJQ19MT0NBTChTdHJpbmcsIHR5cGUsICgi b2JqZWN0IikpOworICAgIGlmICh1cmwucHJvdG9jb2xJcygiYWJvdXQiKSkKKyAgICAgICAgcmV0 dXJuIHRydWU7CiAgICAgcmV0dXJuIGNoZWNrU291cmNlQW5kUmVwb3J0VmlvbGF0aW9uKG9wZXJh dGl2ZURpcmVjdGl2ZShtX29iamVjdFNyYy5nZXQoKSksIHVybCwgdHlwZSk7CiB9CiAKIGJvb2wg Q29udGVudFNlY3VyaXR5UG9saWN5OjphbGxvd0NoaWxkRnJhbWVGcm9tU291cmNlKGNvbnN0IEtV UkwmIHVybCkgY29uc3QKIHsKICAgICBERUZJTkVfU1RBVElDX0xPQ0FMKFN0cmluZywgdHlwZSwg KCJmcmFtZSIpKTsKKyAgICBpZiAodXJsLnByb3RvY29sSXMoImFib3V0IikpCisgICAgICAgIHJl dHVybiB0cnVlOwogICAgIHJldHVybiBjaGVja1NvdXJjZUFuZFJlcG9ydFZpb2xhdGlvbihvcGVy YXRpdmVEaXJlY3RpdmUobV9mcmFtZVNyYy5nZXQoKSksIHVybCwgdHlwZSk7CiB9CiAKSW5kZXg6 IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VM b2cJKHJldmlzaW9uIDExNjAzMCkKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29ya2luZyBj b3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDEyLTA1LTAzICBBZGFtIEJhcnRoICA8YWJhcnRoQHdl YmtpdC5vcmc+CisKKyAgICAgICAgQ1NQIHNob3VsZG4ndCBibG9jayBhYm91dDpibGFuayBmb3Ig aWZyYW1lcworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 ODUyMzMKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBU ZXN0IHRoYXQgYWJvdXQ6YmxhbmsgaWZyYW1lcyBhbmQgb2JqZWN0cyBkb24ndCBnZW5lcmF0ZSBk ZWJ1ZyBsb2cKKyAgICAgICAgbWVzc2FnZXMuCisKKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3Vy aXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9mcmFtZS1zcmMtYWJvdXQtYmxhbmstYWxsb3dlZC1i eS1kZWZhdWx0LWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1 cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvZnJhbWUtc3JjLWFib3V0LWJsYW5rLWFsbG93ZWQt YnktZGVmYXVsdC5odG1sOiBBZGRlZC4KKwogMjAxMi0wNS0wMyAgUGhpbGlwIFJvZ2VycyAgPHBk ckBnb29nbGUuY29tPgogCiAgICAgICAgIEZpeCBudW1lcmljIHByZWNpc2lvbiBpc3N1ZSBpbiBT VkcgYW5pbWF0aW9ucwpJbmRleDogTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250 ZW50U2VjdXJpdHlQb2xpY3kvZnJhbWUtc3JjLWFib3V0LWJsYW5rLWFsbG93ZWQtYnktZGVmYXVs dC1leHBlY3RlZC50eHQKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1 cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvZnJhbWUtc3JjLWFib3V0LWJsYW5rLWFsbG93ZWQt YnktZGVmYXVsdC1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRw L3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9mcmFtZS1zcmMtYWJvdXQtYmxh bmstYWxsb3dlZC1ieS1kZWZhdWx0LWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKQEAgLTAsMCAr MSBAQAorVGhlc2UgZnJhbWVzIHNob3VsZCBub3QgYmUgYmxvY2tlZCBieSBDb250ZW50LVNlY3Vy aXR5LVBvbGljeS4gSXQncyBwb2ludGxlc3MgdG8gYmxvY2sgYWJvdXQ6YmxhbmsgaWZyYW1lcyBi ZWNhdXNlIGJsb2NraW5nIGEgZnJhbWUganVzdCByZXN1bHRzIGluIGRpc3BsYXlpbmcgYWJvdXQ6 YmxhbmsgYW55d2F5ISAgCkluZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2Nv bnRlbnRTZWN1cml0eVBvbGljeS9mcmFtZS1zcmMtYWJvdXQtYmxhbmstYWxsb3dlZC1ieS1kZWZh dWx0Lmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9j b250ZW50U2VjdXJpdHlQb2xpY3kvZnJhbWUtc3JjLWFib3V0LWJsYW5rLWFsbG93ZWQtYnktZGVm YXVsdC5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0 eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvZnJhbWUtc3JjLWFib3V0LWJsYW5rLWFsbG93ZWQtYnkt ZGVmYXVsdC5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDEwIEBACis8c2NyaXB0PgoraWYg KHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5k dW1wQXNUZXh0KCk7Cis8L3NjcmlwdD4KKzxtZXRhIGh0dHAtZXF1aXY9IlgtV2ViS2l0LUNTUCIg Y29udGVudD0iZnJhbWUtc3JjICdub25lJzsgb2JqZWN0LXNyYyAnbm9uZSciPgorVGhlc2UgZnJh bWVzIHNob3VsZCBub3QgYmUgYmxvY2tlZCBieSBDb250ZW50LVNlY3VyaXR5LVBvbGljeS4gIEl0 J3MgcG9pbnRsZXNzCit0byBibG9jayBhYm91dDpibGFuayBpZnJhbWVzIGJlY2F1c2UgYmxvY2tp bmcgYSBmcmFtZSBqdXN0IHJlc3VsdHMgaW4KK2Rpc3BsYXlpbmcgYWJvdXQ6YmxhbmsgYW55d2F5 IQorPGlmcmFtZSBzcmM9ImFib3V0OmJsYW5rIj48L2lmcmFtZT4KKzxvYmplY3QgdHlwZT0idGV4 dC9odG1sIiBkYXRhPSJhYm91dDpibGFuayI+PC9vYmplY3Q+Cg==