[Webkit-unassigned] [Bug 270784] New: CSP: External script with matching SRI hash is blocked when 'strict-dynamic' is present in script-src

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 11 03:46:39 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=270784

            Bug ID: 270784
           Summary: CSP: External script with matching SRI hash is blocked
                    when 'strict-dynamic' is present in script-src
           Product: WebKit
           Version: Safari 17
          Hardware: Mac (Apple Silicon)
                OS: macOS 14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fotis.papadogeorgopoulos at wolt.com

Created attachment 470284

  --> https://bugs.webkit.org/attachment.cgi?id=470284&action=review

HTML file that loads an external script with SRI hash

When `script-src 'strict-dynamic'` is present in a CSP, external scripts with matching SRI hashes (via `integrity`) are blocked.
If 'strict-dynamic' is removed, then scripts with a matching SRI are allowed (subject to the regular CSP hash checks).

We recently ran into this at wolt.com, when migrating to a new CSP design. We rely on 'strict-dynamic' with external script SRI hashes for our script loading. This works as expected on Firefox and Chrome, but I admit that I am not super familiar with the spec, to make a call either way :)

At the moment, we have to use user agent sniffing to avoid the scripts getting blocked on Safari, which is not ideal. We would like to understand whether this blocking is intended or incidental.

CSP for external script SRI hashes was implemented at https://bugs.webkit.org/show_bug.cgi?id=233911, but it does not specifically address 'strict-dynamic', as far as I can tell.

I have a reproduction at https://github.com/fpapado/csp-strict-dynamic-external-script-hash and a PR for WPT, if that runner is more familiar https://github.com/web-platform-tests/wpt/pull/44769. I am also attaching an index.html file, but there is a single attachment limit, so it is not useful by itself.

Please let me know if there is any other information that I can provide, and I will get back to you promptly! It's likely I missed something.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240311/90a91f76/attachment.htm>

More information about the webkit-unassigned mailing list