[Webkit-unassigned] [Bug 239840] REGRESSION (iOS 15.4): Worker csp with script-src 'strict-dynamic' and script-src-elem blocks importScripts that should pass

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 4 08:25:53 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=239840

--- Comment #6 from Kate Cheney <katherine_cheney at apple.com> ---
(In reply to Patrick Griffis from comment #5)
> Didn't write a test for it yet and not sure this is the correct directive
> for everything that calls this method but the most direct fix:
> 
> diff --git a/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
> b/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
> index 7d73ac8bfb97..c7466c36f437 100644
> --- a/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
> +++ b/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
> @@ -408,8 +408,7 @@ const ContentSecurityPolicyDirective*
> ContentSecurityPolicyDirectiveList::violat
>  
>  const ContentSecurityPolicyDirective*
> ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL&
> url, bool didReceiveRedirectResponse, const
> Vector<ResourceCryptographicDigest>& subResourceIntegrityDigests, const
> String& nonce) const
>  {
> -    auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(),
> ContentSecurityPolicyDirectiveNames::scriptSrcElem);
> +    auto* operativeDirective =
> this->operativeDirective(m_scriptSrcElem.get(),
> ContentSecurityPolicyDirectiveNames::scriptSrcElem);
> 
>      if (!operativeDirective
>          ||
> operativeDirective->containsAllHashes(subResourceIntegrityDigests)
>          || checkNonce(operativeDirective, nonce)

I think this will be fine because violatedDirectiveForScript is called for non-inline script sources which should all fall under script-src-elem. We will need to use operativeDirectiveScript to ensure we fall back to script-src if script-src-elem is not present.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220504/aab60bd0/attachment.htm>

More information about the webkit-unassigned mailing list