[Webkit-unassigned] [Bug 270588] New: Regression: Script tag with valid CSP nonce fails to load with escaped <script> in an attribute value

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 6 11:38:07 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=270588

            Bug ID: 270588
           Summary: Regression: Script tag with valid CSP nonce fails to
                    load with escaped <script> in an attribute value
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Mac (Apple Silicon)
                OS: macOS 14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: daniel at bandcamp.com
                CC: beidson at apple.com

Created attachment 470205

  --> https://bugs.webkit.org/attachment.cgi?id=470205&action=review

HTML file the demonstrates the bug

Steps to reproduce the problem:
1. Set Content-Security-Header script-src to include a nonce value along with strict-dynamic (either via web server or http-equiv meta tag)
2. Add a script tag with a valid nonce value and `data-foo="<script>"` (i.e. attribute value of <script> with the < and > html-escaped.
3. Try to load the file.

Example html file attached.

What is the expected behavior?
Script loads.

What went wrong?
CSP blocks loading with this message in the console:

Refused to load https://s4.bcbits.com/bundle/bundle/1/head-c13a053f90fe799f77dee956c87a57f7.js because it does not appear in the script-src directive of the Content Security Policy.

Did this work before?
Yes. I'm not sure the exact version when this bug first appeared, but it was definitely working in the latest version of Safari as of Sep 16, 2021 when the issue was first reported in Chrome.

Works as expected in Firefox. This has been a problem in Chrome for a long time, but this is a new regression in Safari. Here is the equivalent bug for Chrome:
https://issues.chromium.org/issues/40791912

This smells like an heuristic XSS-protection to prevent <script> being injected into script data attributes, but it's overzealous when the attribute value is correctly escaped like in this example.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240306/732a472a/attachment.htm>

More information about the webkit-unassigned mailing list