[Webkit-unassigned] [Bug 192857] New: CSP Endpoint must be whitelisted in connect-src

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=192857

            Bug ID: 192857
           Summary: CSP Endpoint must be whitelisted in connect-src
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Macintosh
                OS: macOS 10.14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fj at kermadec.com

In Safari and Safari Technology Preview up to and including Release 71 (Safari 12.1, WebKit 14607.1.15), it is necessary to whitelist a CSP Reporting Endpoint for the reports to be sent, when “default-src” is set to “none”. The console states "Failed to load resource: Blocked by Content Security Policy.” and the Network Tab shows that ping requests to the CSP Reporting Endpoint have been blocked.

It should not be necessary to manually whitelist the CSP Reporting Endpoint. Furthermore, doing so using the "connect-src” directive whitelists a lot of undesirable connection types in addition to what is required to submit CSP violation reports — Fetch, XMLHttpRequest, WebSocket, and EventSource. No other major browser appears to behave in this way.

This will fail:

> default-src 'none'; report-uri https://example.com/endpoint; style-src 'self';

This will work:

> connect-src https://example.com/endpoint:443; default-src 'none'; report-uri https://example.com/endpoint; style-src 'self';

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181219/a5d6857b/attachment-0001.html>