[Webkit-unassigned] [Bug 237419] New: Invalid characters in HTTP Content-Security-Policy value doesn't impact the CSP

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 3 04:32:46 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=237419

            Bug ID: 237419
           Summary: Invalid characters in HTTP Content-Security-Policy
                    value doesn't impact the CSP
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Mac (Intel)
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: karl+webkit at la-grange.net
                CC: beidson at apple.com

1. Go to https://www.mollysastrology.com
2. Check the HTTP Response

The value for HTTP Response 

HTTP/2 200 OK
date: Thu, 03 Mar 2022 11:40:47 GMT
content-type: text/html; charset=UTF-8
content-length: 20900
cache-control: public, max-age=0
expires: Thu, 03 Mar 2022 11:40:47 GMT
last-modified: Wed, 02 Mar 2022 19:10:07 GMT
accept-ranges: bytes
content-encoding: gzip
vary: Accept-Encoding
wpx: 1
strict-transport-security: max-age=31536000; includeSubDomains
x-xss-protection: 1; mode=block
content-security-policy: default-src �self�;
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
x-turbo-charged-by: LiteSpeed
x-edge-location: WPX CLOUD/TYO02
server: WPX CLOUD/TYO02
x-cache-status: MISS
X-Firefox-Spdy: h2



Check this specific Header.

content-security-policy: default-src �self�;


Expected:
This is to be determined.

Actual:
Currently Safari Tech Preview and Edge Blink Canary do not have any issues with it.
Firefox bails out on all subsequent resources and displays only the HTML page (without JS and CSS).

Note:
This probably requires to dig into the specification and determine
1. what the spec says
2. what is the best course of actions. Change the spec or align the implementations of Gecko, Blink and WebKit

Basically this creates a Webcompat issue
https://github.com/webcompat/web-bugs/issues/100417

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220303/72a0ba6e/attachment-0001.htm>

More information about the webkit-unassigned mailing list