[Webkit-unassigned] [Bug 242054] New: CSP functional bug: Safari checks callerRealm for eval
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 28 00:21:35 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=242054
Bug ID: 242054
Summary: CSP functional bug: Safari checks callerRealm for eval
Product: WebKit
Version: Safari 15
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: seongil.wi at kaist.ac.kr
Hello,
As far as I know, If a parent frame forbids 'unsafe-eval' and a child frame allows 'unsafe-eval', and both are on the same origin, childIframeElement.contentWindow.eval('foo') should be allowed.
(Check only callerRealm for eval)
[*] https://github.com/w3c/webappsec-csp/pull/540
[*] https://github.com/w3c/webappsec-csp/issues/438
However, I observed that Safari does not follow the spec.
To reproduce the bug, please visit the following page
```test.html
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123';">
</head>
<body>
<iframe id=GGGdCcdaGGG src=self.html></iframe><script nonce=123>GGGdCcdaGGG.onload=_=>GGGdCcdaGGG.contentWindow.eval("alert(1)");GGGdCcdaGGG.contentWindow.location.reload();</script>
</body>
</html>
```
```self.html
empty
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220628/b35032b5/attachment.htm>
More information about the webkit-unassigned
mailing list