[Webkit-unassigned] [Bug 67008] New: Content Security Policy in Chrome doesn't let whitelisted script run
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 25 18:03:11 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67008
Summary: Content Security Policy in Chrome doesn't let
whitelisted script run
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
URL: http://gradgrind.erso.berkeley.edu/appendscripttest.ph
p
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: apf at cs.berkeley.edu
CC: abarth at webkit.org
Load http:///gradgrind.erso.berkeley.edu/appendscripttest.php in Chrome and Firefox and you will get two different interpretations of the same CSP.
The site has the following CSP set:
header("X-Content-Security-Policy: allow 'self'; img-src *");
header("X-WebKit-CSP: default-src 'self'; img-src *");
On the page, a whitelisted script dynamically appends a "script" element to the head, with a source on the same domain.
window.onload = function() {
var headID = document.getElementsByTagName("head")[0];
var newScript = document.createElement('script');
newScript.type = 'text/javascript';
newScript.src = 'csp-4.js';
headID.appendChild(newScript);
}
In Firefox, the new script executes.
In Chrome, the new script does not execute even though the src is whitelisted.
It seems to me like the Firefox behavior is correct and the Chrome behavior is wrong.
(My tests done on Google Chrome 15.0.862.0 canary and Firefox 6.0.)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list