[Webkit-unassigned] [Bug 273148] New: Plain text document generates CSP error
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 23 14:01:20 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=273148
Bug ID: 273148
Summary: Plain text document generates CSP error
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: timdream at gmail.com
STR:
1. Setup a website with strict content security policy, returning response header like `"Content-Security-Policy: default-src 'none';`.
2. Serve a `Content-type: text/plain` document.
Expected:
1. Text document is rendered correctly without any errors in the console.
Actual:
1. Text document is rendered correctly but with error complaining about inline style.
```
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
```
Note:
The inline style is inserted from the fake document here:
https://github.com/WebKit/WebKit/blob/dca6ec38e14d781a8298cfb23ebbbc63351db19a/Source/WebCore/html/parser/TextDocumentParser.cpp#L60
Maybe we should switch to User Agent Shadow Root instead of generate fake document in the parser? Is it possible (and safe) to insert the hash to CSP?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240423/b7da7787/attachment.htm>
More information about the webkit-unassigned
mailing list