[Webkit-unassigned] [Bug 270588] REGRESSION (Safari 17?): Script tag with valid CSP nonce fails to load with escaped <script> in an attribute value

Mon Mar 25 09:55:15 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=270588

youenn fablet <youennf at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID
                 CC|                            |annevk at annevk.nl,
                   |                            |youennf at gmail.com

--- Comment #3 from youenn fablet <youennf at gmail.com> ---
https://w3c.github.io/webappsec-csp/#is-element-nonceable says:
- If attribute’s value contains an ASCII case-insensitive match for "<script" or "<style", return "Not Nonceable".

Testing in Firefox, I also get a CSP error:
Content-Security-Policy: The page's settings blocked the loading of a resource at https://s4.bcbits.com/bundle/bundle/1/head-c13a053f90fe799f77dee956c87a57f7.js ("script-src").

It seems that Chrome, Firefox and Safari are all aligned here.
AIUI, though this is somewhat overzealous, implementations are aligned with the spec, the attribute value is computed by unescaping the characters.

To make progress on this, it seems that we should go to the spec and change/clarify the intent. CCing @Anne, if he has thoughts on this.

Marking as INVALID for now, we can reopen or create a new bug after hearing from CSP spec editors.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240325/2185bf54/attachment.htm>