[Webkit-unassigned] [Bug 192857] New: CSP Endpoint must be whitelisted in connect-src
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 19 09:26:03 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=192857
Bug ID: 192857
Summary: CSP Endpoint must be whitelisted in connect-src
Product: WebKit
Version: Safari Technology Preview
Hardware: Macintosh
OS: macOS 10.14
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: fj at kermadec.com
In Safari and Safari Technology Preview up to and including Release 71 (Safari 12.1, WebKit 14607.1.15), it is necessary to whitelist a CSP Reporting Endpoint for the reports to be sent, when “default-src” is set to “none”. The console states "Failed to load resource: Blocked by Content Security Policy.” and the Network Tab shows that ping requests to the CSP Reporting Endpoint have been blocked.
It should not be necessary to manually whitelist the CSP Reporting Endpoint. Furthermore, doing so using the "connect-src” directive whitelists a lot of undesirable connection types in addition to what is required to submit CSP violation reports — Fetch, XMLHttpRequest, WebSocket, and EventSource. No other major browser appears to behave in this way.
This will fail:
> default-src 'none'; report-uri https://example.com/endpoint; style-src 'self';
This will work:
> connect-src https://example.com/endpoint:443; default-src 'none'; report-uri https://example.com/endpoint; style-src 'self';
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181219/a5d6857b/attachment-0001.html>
More information about the webkit-unassigned
mailing list