Changeset 293603 in webkit

Timestamp:

Apr 28, 2022 6:59:02 PM (3 months ago)

Author:

Patrick Griffis

Message:

CSP: Fix mixing strict-dynamic and unsafe-inline policies
​https://bugs.webkit.org/show_bug.cgi?id=239862

Reviewed by Kate Cheney.

Source/WebCore:

Test: http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-unsafe-inline-policies.html

• page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const):

LayoutTests:

If you had multiple policies, one including strict-dynamic and another with unsafe-inline, the unsafe-inline
policy was incorrectly handled.

• http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-unsafe-inline-policies-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-unsafe-inline-policies.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-unsafe-inline-policies-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-unsafe-inline-policies.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2022-04-28  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Fix mixing strict-dynamic and unsafe-inline policies
+        https://bugs.webkit.org/show_bug.cgi?id=239862
+
+        Reviewed by Kate Cheney.
+
+        If you had multiple policies, one including strict-dynamic and another with unsafe-inline, the unsafe-inline
+        policy was incorrectly handled.
+
+        * http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-unsafe-inline-policies-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-unsafe-inline-policies.html: Added.
+
 2022-04-28  Oriol Brufau  <obrufau@igalia.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-04-28  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Fix mixing strict-dynamic and unsafe-inline policies
+        https://bugs.webkit.org/show_bug.cgi?id=239862
+
+        Reviewed by Kate Cheney.
+
+        Test: http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-unsafe-inline-policies.html
+
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForNonParserInsertedScripts const):
+
 2022-04-28  Oriol Brufau  <obrufau@igalia.com>
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

@@ -247 +247 @@
         || checkNonParserInsertedScripts(operativeDirective, parserInserted)
         || checkNonce(operativeDirective, nonce)
-        || checkSource(operativeDirective, url))
+        || checkSource(operativeDirective, url)
+        || (url.isEmpty() && checkInline(operativeDirective)))
         return nullptr;
     return operativeDirective;