[Webkit-unassigned] [Bug 239840] New: worker csp with script-src 'strict-dynamic' and script-src-elem blocks importScripts that should pass

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 27 23:22:26 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=239840

            Bug ID: 239840
           Summary: worker csp with script-src 'strict-dynamic' and
                    script-src-elem blocks importScripts that should pass
           Product: WebKit
           Version: Safari 15
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: webkit at massivemedia.net.nz

Hi team,

I have encountered an issue in Safari 15.4 on iOS and macOS where a worker loaded with a CSP header calls importScripts to bring in a local script and fails unexpectedly. I was serving a worker script with the same CSP as used elsewhere in an application and encountered this issue.

I managed to boil it down to a CSP that fails but it's not obvious to me why, I think it's a bug but apologies if not.

A worker loaded with the following CSP fails to load a script via importScripts:
default-src 'self'; script-src 'strict-dynamic'; script-src-elem 'self';

Removing either "'strict-dynamic'" OR "script-src-elem 'self';" resolves the issue, e.g. either:
default-src 'self'; script-src 'strict-dynamic';
default-src 'self'; script-src-elem 'self';


I have a small test case that loads a worker that calls importScripts, none of these cases fail in Chrome/Firefox/Opera/Edge latest.

https://www.tests.massivedev.com/safari-worker-csp/?csp=1 - this fails in Safari 15.4
https://www.tests.massivedev.com/safari-worker-csp/?csp=2
https://www.tests.massivedev.com/safari-worker-csp/?csp=3
https://www.tests.massivedev.com/safari-worker-csp/?csp=4

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220428/1d690d70/attachment.htm>

More information about the webkit-unassigned mailing list