[Webkit-unassigned] [Bug 232781] New: Difference in handling of CSP policies in Safari Web Extensions

Fri Nov 5 22:14:05 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=232781

            Bug ID: 232781
           Summary: Difference in handling of CSP policies in Safari Web
                    Extensions
           Product: WebKit
           Version: Safari 15
          Hardware: Mac (Intel)
               URL: https://github.com/birtles/csp-bug
                OS: macOS 11
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: brian at birchill.co.jp
                CC: timothy at apple.com

I am encountering a difference in the way Safari Web Extensions interact with a page's CSP policies compared to Chrome/Firefox.

Background: Google Docs are rolling out a new canvas mode. In order for Web Extensions to cause an annotated canvas to be produced such that they can inspect the text of the document, they are required to inject a global into the Docs page as follows:

```
var scriptElem = document.createElement('script');
scriptElem.textContent = "(function() { window['_docs_annotate_canvas_by_ext'] = '<extension id>'; })();";
(document.head || document.documentElement).appendChild(scriptElem);
scriptElem.remove();
```

This works as expected in Chrome and Firefox but produces CSP errors in Safari and fails to run.

STR:

1. `git clone https://github.com/birtles/csp-bug.git`
2. Load `CSP bug repro/CSP bug repro.xcodeproj` from the repository in XCode 13.
3. Run the project
4. It should provide a window with a button to jump to Safari and enable the
   extension
5. You will need to enable unsigned extensions using Develop → Allow Unsigned
   Extensions
6. Navigate to [docs.google.com](https://docs.google.com)
7. Load any Google doc
8. Press the star button on the toolbar, granting permission to run if needed.
9. Open the Javascript console from the Develop menu
10. Look for the line beginning, `"Script ran..."`.
11. As per the message look for CSP errors prior to that line.
12. Enter `window.testme` + <kbd>Enter</kbd> an observe the result.

Expected results:

- No CSP errors
- `"ok"` is returned

Actual results:

- Several CSP errors of the form "Refused to execute a script because its hash,
  its nonce, or 'unsafe-inline' does not appear in the script-src directive of
  the Content Security Policy".
- `undefined` is returned.

To compare with Firefox / Chrome:

1. Install [`npx`](https://www.npmjs.com/package/npx) globally.
2. From the root `csp-bug` folder, run `npx web-ext run` for Firefox, or
   `npx web-ext run -t chromium` for Chrome.
3. Similarly, load any document from [docs.google.com](https://docs.google.com)
   and check the Developer console (<kbd>F12</kbd> → Console).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211106/1bedd2db/attachment.htm>