| Summary: | Cannot view PDF's on my.gov.au: "Refused to load https://my.gov.au/attachment/viewAttachment because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy" | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Daniel Bates <dbates> | ||||||||
| Component: | WebCore Misc. | Assignee: | Daniel Bates <dbates> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | bfulgham, cdumez, dino, esprehn+autocc, ews-watchlist, kangil.han, mkwst, pvollan, webkit-bug-importer | ||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||
| Version: | Safari Technology Preview | ||||||||||
| Hardware: | All | ||||||||||
| OS: | All | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Daniel Bates
2018-07-20 13:56:39 PDT
The page that opened the new window to the attachment has the following CSP policy delivered in an HTTP header: default-src 'none'; connect-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-c4c9c3a25e9546538c72fb86046620397fcbea56' 'unsafe-inline' https://www.centrelink.gov.au; style-src 'self' 'unsafe-inline' https://www.centrelink.gov.au; form-action 'self'; plugin-types application/pdf application/x-shockwave-flash; frame-src 'self'; font-src 'self'; frame-ancestors 'none' And <https://my.gov.au/attachment/viewAttachment> does not have a CSP policy. Notice that <https://my.gov.au/attachment/viewAttachment> loads a PDF directly as a plugin document. Plugin document inherit their policy from their embedding frame or opener. Created attachment 345482 [details]
Patch and layout tests
Comment on attachment 345482 [details] Patch and layout tests Attachment 345482 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8603929 New failing tests: http/tests/security/contentSecurityPolicy/same-origin-plugin-document-allowed-in-child-window.html http/tests/security/contentSecurityPolicy/same-origin-plugin-document-with-csp-blocked-in-child-window.html http/tests/security/video-poster-cross-origin-crash2.html http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window-report.php Created attachment 345491 [details]
Archive of layout-test-results from ews206 for win-future
The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
(In reply to Build Bot from comment #5) > Comment on attachment 345482 [details] > Patch and layout tests > > Attachment 345482 [details] did not pass win-ews (win): > Output: https://webkit-queues.webkit.org/results/8603929 > > New failing tests: > http/tests/security/contentSecurityPolicy/same-origin-plugin-document- > allowed-in-child-window.html > http/tests/security/contentSecurityPolicy/same-origin-plugin-document-with- > csp-blocked-in-child-window.html > http/tests/security/video-poster-cross-origin-crash2.html > http/tests/security/contentSecurityPolicy/same-origin-plugin-document- > blocked-in-child-window-report.php Will skip these tests for now. Plugins or plugin tests do not seem to work on Windows and we skip many (if not all) plugin tests on Windows despite <rdar://problem/5074411> being marked close (why?). Created attachment 345543 [details]
Patch and layout tests
Comment on attachment 345543 [details] Patch and layout tests Clearing flags on attachment: 345543 Committed r234149: <https://trac.webkit.org/changeset/234149> All reviewed patches have been landed. Closing bug. |