[Webkit-unassigned] [Bug 159832] New: CSP: Do not send report violation for policies that have hash but not 'unsafe-inline'

Fri Jul 15 14:00:13 PDT 2016

https://bugs.webkit.org/show_bug.cgi?id=159832

            Bug ID: 159832
           Summary: CSP: Do not send report violation for policies that
                    have hash but not 'unsafe-inline'
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dbates at webkit.org
                CC: bfulgham at webkit.org, wilander at apple.com

Suppose a page has the following markup:

...
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-A'">
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</head>
<script>/* A script whose CSP SHA is 'sha256-A'. */</script>
...

Then we should send exactly one CSP violation report that explains that the script was blocked because it violated the second CSP meta tag.

We should have similar behavior for policies that have hashes for style elements.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160715/6f712e6d/attachment.html>