Bug 264355

Summary: Content Security Policy for previous load should not apply to subsequent alternate HTML load
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: achristensen, ap, bugs-noreply, katherine_cheney, mcatanzaro, pgriffis, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=272590
Attachments:
Description Flags
expected result
none
actual result none

Description Michael Catanzaro 2023-11-07 12:08:13 PST 
Created attachment 468507 [details]
expected result

To reproduce, first load https://duckduckgo.com/ and then load https://expired.badssl.com/

In Epiphany, the expected result is for an insecure lock icon to be displayed on the TLS error page. But actually, the icon is blocked by DuckDuckGo's Content Security Policy, i.e. the CSP for the *previous* page is still being enforced for the next load, even though the next load is for a different website that has nothing to do with DuckDuckGo. This is probably specific to alternate HTML loads, but I'm not certain.

The TLS error page works fine if I visit https://expired.badssl.com/ directly without first loading https://duckduckgo.com/

(I assume it won't be possible to reproduce the exact same error in Safari as the TLS error page is surely constructed differently, but it seems unlikely that the underlying bug is platform-specific.)
Comment 1 Michael Catanzaro 2023-11-07 12:09:19 PST 
Created attachment 468508 [details]
actual result

Almost forgot to provide the error message from the web inspector:

[Error] Refused to load ephy-resource:///org/gnome/epiphany/page-icons/channel-insecure-symbolic.svg because it does not appear in the img-src directive of the Content Security Policy.
Comment 2 Patrick Griffis 2023-11-07 12:26:51 PST 
Note that the error page isn't a normal navigation, its `WebPage::loadAlternateHTML()`, possibly leaving some state behind.
Comment 3 Radar WebKit Bug Importer 2023-11-14 12:09:14 PST 
<rdar://problem/118411558>