[Webkit-unassigned] [Bug 238014] New: WebKit (and safari) doesn't use nonce from link to load style sheet

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 17 02:59:25 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=238014

            Bug ID: 238014
           Summary: WebKit (and safari) doesn't use nonce from link to
                    load style sheet
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: martijn.dashorst at gmail.com
                CC: beidson at apple.com

Created attachment 454946

  --> https://bugs.webkit.org/attachment.cgi?id=454946&action=review

Expected page render

Loading pages that have CSP enabled and use nonce's in their <link> tags fail to load the style sheets with the message below:

[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css because it does not appear in the style-src directive of the Content Security Policy.
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css because it does not appear in the style-src directive of the Content Security Policy.
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css because it does not appear in the style-src directive of the Content Security Policy.

You can find such an example here: https://examples9x.wicket.apache.org/index.html 

This works in Safari < 5.4, but is broken in Safari 5.4. I have tested this in Epiphany latest and it is broken there as well, so this seems to be a webkit issue.

Relevant specification part: https://www.w3.org/TR/CSP3/#style-src-pre-request

> If the result of executing § 6.6.2.2 Does nonce match source list? on request’s cryptographic nonce metadata and this directive’s value is "Matches", return "Allowed".

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220317/6411bff8/attachment.htm>

More information about the webkit-unassigned mailing list