[Webkit-unassigned] [Bug 238014] New: WebKit (and safari) doesn't use nonce from link to load style sheet
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 17 02:59:25 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=238014
Bug ID: 238014
Summary: WebKit (and safari) doesn't use nonce from link to
load style sheet
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Page Loading
Assignee: webkit-unassigned at lists.webkit.org
Reporter: martijn.dashorst at gmail.com
CC: beidson at apple.com
Created attachment 454946
--> https://bugs.webkit.org/attachment.cgi?id=454946&action=review
Expected page render
Loading pages that have CSP enabled and use nonce's in their <link> tags fail to load the style sheets with the message below:
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-code-pro/stylesheet-ver-3BE5D9697D52863D3AC0665326707F93.css because it does not appear in the style-src directive of the Content Security Policy.
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/fonts/source-sans-pro/stylesheet-ver-2E00A7746864396B7D49CAC4751B015A.css because it does not appear in the style-src directive of the Content Security Policy.
[Error] Refused to load https://examples9x.wicket.apache.org/wicket/resource/org.apache.wicket.examples.WicketExamplePage/style-ver-41F7F0F12583ECD409B8A430A534FB94.css because it does not appear in the style-src directive of the Content Security Policy.
You can find such an example here: https://examples9x.wicket.apache.org/index.html
This works in Safari < 5.4, but is broken in Safari 5.4. I have tested this in Epiphany latest and it is broken there as well, so this seems to be a webkit issue.
Relevant specification part: https://www.w3.org/TR/CSP3/#style-src-pre-request
> If the result of executing § 6.6.2.2 Does nonce match source list? on request’s cryptographic nonce metadata and this directive’s value is "Matches", return "Allowed".
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220317/6411bff8/attachment.htm>
More information about the webkit-unassigned
mailing list