From bdfdf5deadaf250cd1a2eec319618efb9f045125 Mon Sep 17 00:00:00 2001
From: Roberto Rodriguez <roberto_rodriguez2@apple.com>
Date: Mon, 6 Apr 2026 13:33:49 -0700
Subject: [PATCH] WebKit export of
 https://bugs.webkit.org/show_bug.cgi?id=308752

---
 .../blob/frame-src-blob-matches-blob.sub.html | 36 +++++++++++++++++++
 ...rame-src-self-does-not-match-blob.sub.html | 33 +++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 content-security-policy/blob/frame-src-blob-matches-blob.sub.html
 create mode 100644 content-security-policy/blob/frame-src-self-does-not-match-blob.sub.html

diff --git a/content-security-policy/blob/frame-src-blob-matches-blob.sub.html b/content-security-policy/blob/frame-src-blob-matches-blob.sub.html
new file mode 100644
index 00000000000000..0dbc89bdd59361
--- /dev/null
+++ b/content-security-policy/blob/frame-src-blob-matches-blob.sub.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; frame-src blob:;">
+    <title>frame-src-blob-matches-blob</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["PASS (1/1)"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>
+        blob: URLs should match if the blob: scheme is explicitly specified in the frame-src directive.
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("FAIL");
+        });
+
+        var b = new Blob(['<html><body></body></html>'], {
+            type: 'text/html'
+        });
+        var iframe = document.createElement('iframe');
+        iframe.src = URL.createObjectURL(b);
+        iframe.onload = function() {
+            log("PASS (1/1)");
+        };
+        document.body.appendChild(iframe);
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>
diff --git a/content-security-policy/blob/frame-src-self-does-not-match-blob.sub.html b/content-security-policy/blob/frame-src-self-does-not-match-blob.sub.html
new file mode 100644
index 00000000000000..fc54910644c122
--- /dev/null
+++ b/content-security-policy/blob/frame-src-self-does-not-match-blob.sub.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; frame-src 'self';">
+    <title>frame-src-self-does-not-match-blob</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/logTest.sub.js?logs=["violated-directive=frame-src"]'></script>
+    <script src='../support/alertAssert.sub.js?alerts=[]'></script>
+</head>
+
+<body>
+    <p>
+        blob: URLs should not match the &apos;self&apos; source in a frame-src directive because blob: is a non-HTTP(S) scheme that must be explicitly listed.
+    </p>
+    <script>
+        window.addEventListener('securitypolicyviolation', function(e) {
+            log("violated-directive=" + e.violatedDirective);
+        });
+
+        var b = new Blob(['<html><body>FAIL</body></html>'], {
+            type: 'text/html'
+        });
+        var iframe = document.createElement('iframe');
+        iframe.src = URL.createObjectURL(b);
+        document.body.appendChild(iframe);
+
+    </script>
+    <div id="log"></div>
+</body>
+
+</html>