[Webkit-unassigned] [Bug 216312] New: Content-Security-Policy unsafe-eval violations do not use CSP reporting mechanism

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 9 08:56:40 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=216312

            Bug ID: 216312
           Summary: Content-Security-Policy unsafe-eval violations do not
                    use CSP reporting mechanism
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: koto at google.com

Violations of Content Security Policy restrictions for a document cause two observable effects (defined in https://w3c.github.io/webappsec-csp/#report-violation) - a SecurityPolicyViolationEvent is dispatched, and a report is sent to an endpoint defined in report-uri / report-to directive. 

For restricting eval and similar functions, this behavior is defined in https://w3c.github.io/webappsec-csp/#can-compile-strings (step 2.2.3).

It seems like WebKit - while it correctly blocks() eval when CSP script-src without 'unsafe-eval' is used in a document, and allows it in other cases (including on when the CSP header is in its Report-Only variant),  it does not do any reporting. 

This has an unfortunate effect - in report-only eval is allowed, but the web authors don't get notified about it, so when the webpage starts enforcing CSP, the behaviour changes without a way of detecting it earlier. eval is blocked(), most likely breaking the web application (+ there is no CSP report about this either, so it' s not easy to correlate the fails with the CSP enforcement). 

Steps to reproduce:

1. In Safari, go to https://gadgets.kotowicz.net/poc/tt/
2. Click the 'generate eval violation'

What should happen? 
1. a JSON with the violation should appear on the screen
2. a SecurityPolicyViolationEvent should be logged in the console.

What happens instead?
1. Eval is blocked, but no report is sent, or event dispatched.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200909/7292abe3/attachment.htm>

More information about the webkit-unassigned mailing list