[Webkit-unassigned] [Bug 222484] New: CSP: Link header with rel=preload does not recognize nonces
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Feb 26 11:44:42 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=222484
Bug ID: 222484
Summary: CSP: Link header with rel=preload does not recognize
nonces
Product: WebKit
Version: WebKit Nightly Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: aaronshim at google.com
Safari does not recognize CSP nonces that are sent as a part of the Link header.
### Observed Behavior ###
Visit https://cloud.arturjanc.com/s/safari-link-nonce/link-header.
Following headers are sent:
Link: <https://arturjanc.com/foo2.js>; rel=preload; as=script; nonce=123
Content-Security-Policy: script-src 'nonce-123'; object-src 'none'; report-uri /foo
No script is run.
### Expected Behavior ###
Script is run. Chrome and Firefox runs the script.
Interestingly, Safari will run the script if the preload Link is included as an HTML tag rather than a header (https://cloud.arturjanc.com/s/safari-link-nonce/link-element).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210226/66e7f36a/attachment.htm>
More information about the webkit-unassigned
mailing list