[webkit-changes] [WebKit/WebKit] 88833b: 'strict-dynamic' in script-src CSP breaks external...

Luke Warlow noreply at github.com
Wed Aug 21 14:14:54 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 88833ba4cdcb34cf4e173fec453dafac8c74ccda
      https://github.com/WebKit/WebKit/commit/88833ba4cdcb34cf4e173fec453dafac8c74ccda
  Author: Luke Warlow <lwarlow at igalia.com>
  Date:   2024-08-21 (Wed, 21 Aug 2024)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes-expected.txt
    M Source/WebCore/dom/ScriptElement.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicy.h
    M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
    M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

  Log Message:
  -----------
  'strict-dynamic' in script-src CSP breaks external script with matching integrity hash
https://bugs.webkit.org/show_bug.cgi?id=270784

Reviewed by Ryan Reno.

This patch updates the early CSP checks for when 'strict-dynamic' is present to also match sub-resource-integrity.

* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_hashes-expected.txt:
* Source/WebCore/dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestClassicScript):
(WebCore::ScriptElement::requestModuleScript):
(WebCore::ScriptElement::requestImportMap):
(WebCore::ScriptElement::executeClassicScript):
(WebCore::ScriptElement::registerImportMap):
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
* Source/WebCore/page/csp/ContentSecurityPolicy.h:
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const):
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h:

Canonical link: https://commits.webkit.org/282577@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list