Steps to reproduce: The following steps assume you have a my.gov.au account that has a message with an attachment. 1. Visit my.gov.au and sign into your account. 2. Open a message listed in your Inbox that has an attachment (signified by the presence of an icon with a paperclip to the right of the name of the message). 3. Open the attachment. Then a new window/tab opens to <https://my.gov.au/attachment/viewAttachment> and displays "Blocked Plug-in". But the contents of the attachment should have been rendered.
The page that opened the new window to the attachment has the following CSP policy delivered in an HTTP header: default-src 'none'; connect-src 'self'; img-src 'self' data:; script-src 'self' 'nonce-c4c9c3a25e9546538c72fb86046620397fcbea56' 'unsafe-inline' https://www.centrelink.gov.au; style-src 'self' 'unsafe-inline' https://www.centrelink.gov.au; form-action 'self'; plugin-types application/pdf application/x-shockwave-flash; frame-src 'self'; font-src 'self'; frame-ancestors 'none' And <https://my.gov.au/attachment/viewAttachment> does not have a CSP policy.
Notice that <https://my.gov.au/attachment/viewAttachment> loads a PDF directly as a plugin document. Plugin document inherit their policy from their embedding frame or opener.
<rdar://problem/41190880>
Created attachment 345482 [details] Patch and layout tests
Comment on attachment 345482 [details] Patch and layout tests Attachment 345482 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8603929 New failing tests: http/tests/security/contentSecurityPolicy/same-origin-plugin-document-allowed-in-child-window.html http/tests/security/contentSecurityPolicy/same-origin-plugin-document-with-csp-blocked-in-child-window.html http/tests/security/video-poster-cross-origin-crash2.html http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window-report.php
Created attachment 345491 [details] Archive of layout-test-results from ews206 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews206 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
(In reply to Build Bot from comment #5) > Comment on attachment 345482 [details] > Patch and layout tests > > Attachment 345482 [details] did not pass win-ews (win): > Output: https://webkit-queues.webkit.org/results/8603929 > > New failing tests: > http/tests/security/contentSecurityPolicy/same-origin-plugin-document- > allowed-in-child-window.html > http/tests/security/contentSecurityPolicy/same-origin-plugin-document-with- > csp-blocked-in-child-window.html > http/tests/security/video-poster-cross-origin-crash2.html > http/tests/security/contentSecurityPolicy/same-origin-plugin-document- > blocked-in-child-window-report.php Will skip these tests for now. Plugins or plugin tests do not seem to work on Windows and we skip many (if not all) plugin tests on Windows despite <rdar://problem/5074411> being marked close (why?).
Created attachment 345543 [details] Patch and layout tests
Comment on attachment 345543 [details] Patch and layout tests Clearing flags on attachment: 345543 Committed r234149: <https://trac.webkit.org/changeset/234149>
All reviewed patches have been landed. Closing bug.