[Webkit-unassigned] [Bug 67008] New: Content Security Policy in Chrome doesn't let whitelisted script run

Thu Aug 25 18:03:11 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=67008

           Summary: Content Security Policy in Chrome doesn't let
                    whitelisted script run
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: http://gradgrind.erso.berkeley.edu/appendscripttest.ph
                    p
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: apf at cs.berkeley.edu
                CC: abarth at webkit.org

Load http:///gradgrind.erso.berkeley.edu/appendscripttest.php in Chrome and Firefox and you will get two different interpretations of the same CSP.

The site has the following CSP set:

    header("X-Content-Security-Policy: allow 'self'; img-src *");
    header("X-WebKit-CSP: default-src 'self'; img-src *");

On the page, a whitelisted script dynamically appends a "script" element to the head, with a source on the same domain.

    window.onload = function() {
        var headID = document.getElementsByTagName("head")[0];         
        var newScript = document.createElement('script');
        newScript.type = 'text/javascript';
        newScript.src = 'csp-4.js';
        headID.appendChild(newScript);
    }

In Firefox, the new script executes.
In Chrome, the new script does not execute even though the src is whitelisted.

It seems to me like the Firefox behavior is correct and the Chrome behavior is wrong.

(My tests done on Google Chrome 15.0.862.0 canary and Firefox 6.0.)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.