<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - CSP: Do not send report violation for policies that have hash but not 'unsafe-inline'"
href="https://bugs.webkit.org/show_bug.cgi?id=159832">159832</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>CSP: Do not send report violation for policies that have hash but not 'unsafe-inline'
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Local Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>WebCore Misc.
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>dbates@webkit.org
</td>
</tr>
<tr>
<th>CC</th>
<td>bfulgham@webkit.org, wilander@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Suppose a page has the following markup:
...
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-A'">
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</head>
<script>/* A script whose CSP SHA is 'sha256-A'. */</script>
...
Then we should send exactly one CSP violation report that explains that the script was blocked because it violated the second CSP meta tag.
We should have similar behavior for policies that have hashes for style elements.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>