[Webkit-unassigned] [Bug 233071] New: Allowlisting empty elements via content hashes in CSP directives is inconsistent across browser engines

Fri Nov 12 13:45:59 PST 2021

https://bugs.webkit.org/show_bug.cgi?id=233071

            Bug ID: 233071
           Summary: Allowlisting empty elements via content hashes in CSP
                    directives is inconsistent across browser engines
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: andybons at stripe.com
                CC: katherine_cheney at apple.com

The following page will render a red background on Chromium and Gecko, but not WebKit due to a CSP violation:

<!DOCTYPE html>
<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; script-src 'unsafe-inline'"
/>
<html lang="en">
  <script type="module">
    const style = document.createElement("style");
    style.appendChild(document.createTextNode(""));
    document.head.appendChild(style);
    const { sheet } = style;
    if (sheet) {
      sheet.insertRule("body { background: red; }");
      console.info("background should be red now");
    } else {
      console.error("no sheet found :(");
    }
  </script>
</html>

The <style> node is empty, so the sha256 of the empty string (sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=) allows for it to successfully apply to the page on Chromium and Gecko.

On WebKit, ContentSecurityPolicy::findHashOfContentInPolicies will always return false for an empty style element (see https://sourcegraph.com/github.com/WebKit/WebKit/-/blob/Source/WebCore/page/csp/ContentSecurityPolicy.cpp?L362)

A workaround on WebKit is to append some arbitrary content to the <style> tag:

<!DOCTYPE html>
<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; style-src 'self' 'sha256-0hAheEzaMe6uXIKV4EehS9pu1am1lj/KnnzrOYqckXk='; script-src 'unsafe-inline'"
/>
<html lang="en">
  <script type="module">
    const style = document.createElement("style");
    style.appendChild(document.createTextNode("/**/"));
    document.head.appendChild(style);
    const { sheet } = style;
    if (sheet) {
      sheet.insertRule("body { background: red; }");
      console.info("background should be red now");
    } else {
      console.error("no sheet found :(");
    }
  </script>
</html>

>From Kate Cheney in WebKit Slack:

> After a brief look at the spec, the empty string hash case doesn't seem to be explicitly talked about, but I don't see a reason here why we shouldn't match behavior of other major browsers. Could you file a bug on https://bugs.webkit.org about this?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211112/3a676aef/attachment.htm>