[Webkit-unassigned] [Bug 270784] CSP: External script with matching SRI hash is blocked when 'strict-dynamic' is present in script-src

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 10 05:53:01 PDT 2024


https://bugs.webkit.org/show_bug.cgi?id=270784

--- Comment #4 from Fotis Papadogeorgopoulos <fotis.papadogeorgopoulos at wolt.com> ---
(In reply to Karl Dubost from comment #3)
> Maybe it would be worth to create additional WPT tests for this. 
> https://wpt.fyi/results/content-security-
> policy?label=master&label=experimental&aligned&q=safari%3Afail%20firefox%3Apa
> ss%20chrome%3Apass

Definitely, if I am reading it right, there is a gap for this case in WPT at the moment.

I made a start in this PR https://github.com/web-platform-tests/wpt/pull/44769, adding a case to the existing content-security-policy/script-src/script-src-strict_dynamic_hashes tests. I am not super familiar with authoring WPT though, so I might have missed more idiomatic ways of making those assertions :)

Here is the deployed preview branch from WPT's CI: https://wpt.fyi/results/content-security-policy/script-src/script-src-strict_dynamic_hashes.html?label=pr_head&max-count=1&pr=44769

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240410/d499cb4c/attachment.htm>


More information about the webkit-unassigned mailing list