[Webkit-unassigned] [Bug 216312] New: Content-Security-Policy unsafe-eval violations do not use CSP reporting mechanism
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 9 08:56:40 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=216312
Bug ID: 216312
Summary: Content-Security-Policy unsafe-eval violations do not
use CSP reporting mechanism
Product: WebKit
Version: Safari Technology Preview
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
Assignee: webkit-unassigned at lists.webkit.org
Reporter: koto at google.com
Violations of Content Security Policy restrictions for a document cause two observable effects (defined in https://w3c.github.io/webappsec-csp/#report-violation) - a SecurityPolicyViolationEvent is dispatched, and a report is sent to an endpoint defined in report-uri / report-to directive.
For restricting eval and similar functions, this behavior is defined in https://w3c.github.io/webappsec-csp/#can-compile-strings (step 2.2.3).
It seems like WebKit - while it correctly blocks() eval when CSP script-src without 'unsafe-eval' is used in a document, and allows it in other cases (including on when the CSP header is in its Report-Only variant), it does not do any reporting.
This has an unfortunate effect - in report-only eval is allowed, but the web authors don't get notified about it, so when the webpage starts enforcing CSP, the behaviour changes without a way of detecting it earlier. eval is blocked(), most likely breaking the web application (+ there is no CSP report about this either, so it' s not easy to correlate the fails with the CSP enforcement).
Steps to reproduce:
1. In Safari, go to https://gadgets.kotowicz.net/poc/tt/
2. Click the 'generate eval violation'
What should happen?
1. a JSON with the violation should appear on the screen
2. a SecurityPolicyViolationEvent should be logged in the console.
What happens instead?
1. Eval is blocked, but no report is sent, or event dispatched.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200909/7292abe3/attachment.htm>
More information about the webkit-unassigned
mailing list